Previous 1 2 3 4 Next 50 Replies Latest reply: Apr 13, 2012 4:11 PM by walterfromct
walterfromct Level 1 Level 1 (0 points)

Had a weird experience this AM.  Was checking email via Safari when a screen popped up asking for permission to update software.  I declined, because I didn't know who was trying to do what (i.e., there were no update icons in the Dock, etc.).  Then, the fun began.

 

I tried to open EXCEL next and it wouldn't open.  It immediately failed with a message saying the application quit unexpectedly, etc., etc.  Same thing happened with every other Office app.  After much discussion with Apple, then Microsoft, and then Apple again, I was able to un-install Mcrosoft Office but the kicker is: I got the same failure when I tried to re-install the apps from the CD (i.e., I got an immediate failure when I double-clicked the install icon).

 

With Microsoft's help, I was able to set up another user profile with Admin capability, and the apps installed just fine using that profile.  So, the problem appears to be with my main profile.  However, Apple is stumped and gave up trying to help me.

 

So, I'm now in the situation where the Apps are on my machine under 1 profile and the data is under another profile. AND, I just discovered that Quicken fails when I try to iopen it in my 1st Profile too.

 

So,

 

1.  Has this happened to anyone else out there?  If so, how'd you get around it?

 

2.  Is there a way to share files between profiles?  I know I can probably copy the Microsoft files on a portable drive, but I'm concerned about the Quicken database.  Not sure how to transport this data between Users.

 

Any help would be GREATLY appreciated.

 

PS.  I'm running Snow Leopard.  There are no pending software updates.


iMac, Mac OS X (10.6.8)
  • Linc Davis Level 10 Level 10 (173,520 points)

    Launch the Console application in any of the following ways:

     

    Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

     

    In the Finder, select Go Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

     

    If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Console in the page that opens.

     

    Step 1

     

    Enter the name of the crashed application or process in the Filter text field. Post the messages from the time of the last crash, if any — the text, please, not a screenshot.

     

    Step 2

     

    Still in the Console window, look under User Diagnostic Reports for crash reports related to the process. The report name starts with the name of the crashed process, and ends with ".crash". Select the most recent report and post the contents — again, the text, not a screenshot. For privacy’s sake, I suggest that, before posting, you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if it’s present (it may not be.)

  • walterfromct Level 1 Level 1 (0 points)

    Thanks for the quick response.

     

    I looked at the console entries as you suggested and it's loaded from all of today's activities.  I'm not sure I'll be able to sync up the entires you requested.

     

    So, I'm going to wait until tomorrow morning, recreate the error by attempting to re-install MS Office, and then post tomorrow's console entries as you requested.  That way, I'll be sure various messages will be syn'd up.

     

    Thanks, again.  And stay tuned.

  • walterfromct Level 1 Level 1 (0 points)

    Linc,

     

    I attempted to re-install MS Office from the CD 1st thing after booting up this AM and it failed again.

     

    Here's the console info. you suggested:

     

    The messages:

     

    4/2/12 8:51:05 AM          com.apple.launchd[1]          *** launchd[1] has started up. ***

    4/2/12 8:51:27 AM          com.apple.launchd.peruser.501[88]          (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self

    4/2/12 8:51:31 AM          com.apple.launchd.peruser.501[88]          (com.apple.Kerberos.renew.plist[113]) Exited with exit code: 1

    4/2/12 8:52:12 AM          Pages[127]          contentBoundsOrigin = {0, 0}

    4/2/12 8:52:12 AM          Pages[127]          contentBoundsOrigin = {0, 0}

    4/2/12 8:52:12 AM          Pages[127]          contentBoundsOrigin = {0, 0}

    4/2/12 8:52:12 AM          Pages[127]          contentBoundsOrigin = {0, 0}

    4/2/12 8:52:12 AM          Pages[127]          contentBoundsOrigin = {0, 0}

    4/2/12 8:52:59 AM          [0x0-0x10010].com.microsoft.setupassistant[146]          dyld: could not load inserted library: /Users/Shared/.libgmalloc.dylib

    4/2/12 8:52:59 AM          com.apple.launchd.peruser.501[88]          ([0x0-0x10010].com.microsoft.setupassistant[146]) Job appears to have crashed: Trace/BPT trap

    4/2/12 8:52:59 AM          ReportCrash[148]          Saved crash report for LaunchCFMApp[146] version ??? (???) to /Users/waltersemolic/Library/Logs/DiagnosticReports/LaunchCFMApp_2012-04-02-085 259_Macintosh.crash

    4/2/12 8:53:16 AM          com.apple.WindowServer[67]          Mon Apr  2 08:53:16 Macintosh.local WindowServer[67] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.

     

    The Report:

     

    Process:         LaunchCFMApp [146]

    Path:            /Volumes/Microsoft Office 2004/Office Setup Assistant

    Identifier:      com.microsoft.setupassistant

    Version:         ??? (???)

    Code Type:       PPC (Translated)

    Parent Process:  launchd [88]

     

    Date/Time:       2012-04-02 08:52:59.122 -0400

    OS Version:      Mac OS X 10.6.8 (10K549)

    Report Version:  6

     

    Exception Type:  EXC_CRASH (SIGTRAP)

    Exception Codes: 0x0000000000000000, 0x0000000000000000

    Crashed Thread:  0  Dispatch queue: com.apple.main-thread

     

    Thread 0 Crashed:  Dispatch queue: com.apple.main-thread

    0   libSystem.B.dylib                       0x80239236 __pthread_kill + 10

    1   libSystem.B.dylib                       0x80238ad7 pthread_kill + 95

    2   LaunchCFMApp                            0xb80bfb30 0xb8000000 + 785200

    3   LaunchCFMApp                            0xb80c0037 0xb8000000 + 786487

    4   LaunchCFMApp                            0xb80dd8e8 0xb8000000 + 907496

    5   LaunchCFMApp                            0xb8145397 spin_lock_wrapper + 1791

    6   LaunchCFMApp                            0xb801ceb7 0xb8000000 + 118455

     

    Thread 1:

    0   libSystem.B.dylib                       0x80142afa mach_msg_trap + 10

    1   libSystem.B.dylib                       0x80143267 mach_msg + 68

    2   LaunchCFMApp                            0xb819440f CallPPCFunctionAtAddressInt + 206231

    3   libSystem.B.dylib                       0x80170259 _pthread_start + 345

    4   libSystem.B.dylib                       0x801700de thread_start + 34

     

    Thread 0 crashed with X86 Thread State (32-bit):

      eax: 0x00000000  ebx: 0x802fc540  ecx: 0xb7fff9ac  edx: 0x80239236

      edi: 0xb8211640  esi: 0x00000005  ebp: 0xb7fff9d8  esp: 0xb7fff9ac

       ss: 0x0000001f  efl: 0x00000286  eip: 0x80239236   cs: 0x00000007

       ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037

      cr2: 0x8023922c

     

    Binary Images:

    0x80000000 - 0x8005dff7  com.apple.framework.IOKit 2.0 (???) <3DABAB9C-4949-F441-B077-0498F8E47A35> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

    0x8007d000 - 0x800e7fe7  libstdc++.6.dylib 7.9.0 (compatibility 7.0.0) <411D87F4-B7E1-44EB-F201-F8B4F9227213> /usr/lib/libstdc++.6.dylib

    0x80142000 - 0x802e9ff7  libSystem.B.dylib 125.2.11 (compatibility 1.0.0) <2DCD13E3-1BD1-6F25-119A-3863A3848B90> /usr/lib/libSystem.B.dylib

    0x8036b000 - 0x804e6fe7  com.apple.CoreFoundation 6.6.6 (550.44) <F88C95CD-1264-782D-A1F5-204739847E93> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

    0x805de000 - 0x805ecfe7  libz.1.dylib 1.2.3 (compatibility 1.0.0) <33C1B260-ED05-945D-FC33-EF56EC791E2E> /usr/lib/libz.1.dylib

    0x805f1000 - 0x805fdff7  libkxld.dylib ??? (???) <9A441C48-2D18-E716-5F38-CBEAE6A0BB3E> /usr/lib/system/libkxld.dylib

    0x80601000 - 0x80647ff7  libauto.dylib ??? (???) <29422A70-87CF-10E2-CE59-FEE1234CFAAE> /usr/lib/libauto.dylib

    0x80654000 - 0x807d6fe7  libicucore.A.dylib 40.0.0 (compatibility 1.0.0) <D5980817-6D19-9636-51C3-E82BAE26776B> /usr/lib/libicucore.A.dylib

    0x80838000 - 0x808e5fe7  libobjc.A.dylib 227.0.0 (compatibility 1.0.0) <9F8413A6-736D-37D9-8EB3-7986D4699957> /usr/lib/libobjc.A.dylib

    0x808f9000 - 0x808fcfe7  libmathCommon.A.dylib 315.0.0 (compatibility 1.0.0) <1622A54F-1A98-2CBE-B6A4-2122981A500E> /usr/lib/system/libmathCommon.A.dylib

    0x8fe00000 - 0x8fe4162b  dyld 132.1 (???) <749D24EE-54BD-D74B-D305-C13F5E6C95D8> /usr/lib/dyld

    0xb8000000 - 0xb81defff  LaunchCFMApp ??? (???) <CC0F32CD-4587-7C83-03D0-9CFE28A58FB6> /System/Library/Frameworks/Carbon.framework/Versions/A/Support/LaunchCFMApp

    0xffff0000 - 0xffff1fff  libSystem.B.dylib ??? (???) <2DCD13E3-1BD1-6F25-119A-3863A3848B90> /usr/lib/libSystem.B.dylib

     

    Translated Code Information:

    objc[146]: garbage collection is ON

    NO CRASH REPORT

     

    Additional useful(??) info.  Every so often I've had to Froce Quit out of Excel, especially if Safari was up and I had opened a spreadsheet that came via email.  This has been going on for quite a while.

  • Linc Davis Level 10 Level 10 (173,520 points)

    You installed a variant of what’s usually called the “Flashback” malware, although the name is obsolete.

     

    If you’re absolutely sure you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7 and 8 below.

     

    How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link. Or you may have downloaded a file with a Bittorrent client, always a dependable source of malware.

     

    If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. I suggest you take the following steps immediately:

     

    1. Back up all data to at least two different devices, if you haven't already done so.

     

    2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.

     

    3. Install the Mac OS.

     

    4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.

     

    5. If running Mac OS X 10.6.x or earlier, run Software Update.

     

    6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if they’re visible in the Finder, and then only if you’re absolutely sure you know what they are and they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

     

    7. If you’re running Mac OS X 10.5.x or earlier, disable Java in Safari’s preferences, and leave it disabled until you upgrade to Mac OS X 10.6.8 or later, including all available updates. The Java web plugin is unsafe to use under older versions of the Mac OS. Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names. Although there’s no conclusive proof, some have suggested that the Java web plugin is unsafe to use in any version of the Mac OS. Legitimate Java content is uncommon on modern websites, so you should consider disabling Java in all your browsers regardless of your Mac OS version.

     

    8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

     

    9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated. If you use any third-party web browsers under Mac OS X 10.5.x or earlier, disable Java in their preferences, as you did with Safari in step 7.

     

    More information about Flashback can be found by searching this site, or the Web.

     

    If you use a Mac OS version older than 10.6, you should upgrade at least to 10.6.8 as soon as possible, even if you have to buy a new computer. Those older Mac OS versions are no longer maintained by Apple, and they may have other security holes, besides the one mentioned above, that make them permanently unsafe to use on the Internet.

  • walterfromct Level 1 Level 1 (0 points)

    Linc,

     

    Thanks for your help.

     

    I've tried to be careful, but I guess i wasn't careful enough.

     

    I have no clue when I first became infected, as there have been instances of flakey behavior on and off for quite some time noiw.  So, it looks like I'll need to do it the hard way.  What a PAIN!

     

    It's funny that you should mention "certificates".  I've been getting "invalid certificate" messages off and on from many of the web-sites I frequent, and they had no idea why.  I thought it was a quirk in Safari.  Maybe this explains it.

     

    I also do a lot of on-line banking and, fortunately, nothing bad has happened yet.

     

    So, I'll start by backing up (copying) my data files and then I'll get cracking.

     

    Some questions re: data files:

     

    1.  Is there a chance I'll re-infect my machine when I restore my data files?

     

    2.  I have a lot of photos in iPhoto and videos in iMovie.  How do I ensure these are backed up (copied)?

     

    Any additional advice will be GREATLY appreciated.

     

    Thanks again, for your help.

     

    I'll let you know how things turn out.

     

    HERE WE GO!

  • WZZZ Level 6 Level 6 (12,775 points)

    Linc Davis wrote: Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

    Linc, how does one avoid restoring the hidden, dot files or folders, since, by definition, they are invisible? Toggle hidden on during the restore using Terminal or TinkerTool first?

  • Linc Davis Level 10 Level 10 (173,520 points)

    I can't tell you what the malware does. Nobody knows. A document as such, as long as it's just a document and not in any special folder, cannot in itself function as malware, though it could be part of a malware installation.

     

    Some iPhoto and iMovie settings are stored in the home Library, but the documents should be in the Pictures and Movies folders, respectively. As long as those are backed up and restored, you should be OK. You'll need to recreate your settings.

  • Linc Davis Level 10 Level 10 (173,520 points)

    Linc, how does one avoid restoring the hidden, dot files or folders, since, by definition, they are invisible?

     

    The easiest way is to follow the above instructions exactly. Don't restore the whole home folder or the Library subfolder. Only restore the contents of the visible top-level folders such as Documents, Desktop, etc. Some parts of the trojan might conceivably get through, but they wouldn't be effective without the rest.

  • WZZZ Level 6 Level 6 (12,775 points)

    One silver lining to this very dark cloud is that those who lose their PPC apps at least have a chance to discover they've been infected. They must represent only the tip of a huge iceberg of infected users.

  • walterfromct Level 1 Level 1 (0 points)

    Linc,

     

    I currently use MAC OS X Version 10.6.8 (Snow Leopard) and iLife 09.

     

    Maybe now's the time to upgrade my operating system, etc., and/or move up to a new machine?

     

    Would going directly to new software and/or a new machne present a problem, or do I need to re-establish a clean version of my current configuration before going forward?

  • noondaywitch Level 6 Level 6 (8,130 points)

    I've just been reading a report via The Register that suggests the vulnerability being exploited by Flashback is not fixed in the latest Mac Java update, although it was fixed in Windows versions some time ago.

     

    Do not trust Java on any OS version.

  • Linc Davis Level 10 Level 10 (173,520 points)

    You need a working 10.6.8 installation in order to buy and install Lion.

  • WZZZ Level 6 Level 6 (12,775 points)

    Yeah, this infected user was asked what Java version he was running when infected:

     

    NuLynx wrote:

     

    java version "1.6.0_29"

     

    MadMacs0 wrote:

     

    Thanks, that's consistent with what others have told me over the past couple of days. Appears that they have found another way to infect.

     

     

    https://discussions.apple.com/message/18020948#18020948

     

    Best to disable Java in the browser and uncheck the On boxes in Java Preferences>General

  • walterfromct Level 1 Level 1 (0 points)

    It appears that the trojan may also be related to Rosetta, which is used by older versions of Office and Quicken.

     

    If so, then cleaning my machine as you described and then re-loading the apps will re-infect my machine.  No?

     

    There's a similar discussion of this problem on MicroSoft's web site, and they say that Office for MAC 2008 and the latest version of Quicken do not use Rosetta.

     

    Re: my own recovery.  I had trouble running my backups and took my machine to the genius bar at an Apple Store in CT.  They got the backup to run, after switching to a new external drive.  I was also able to copy my Documents and Pictures folders to Flash drives.  However, I couldn't copy the Movies folder, so I tried to copy each individual file.  They all copied except the iMovie Project Files, which failed to copy.  So, I've got a Time Machine back up of my machine on an external drive and copies of the Document, Pictures, and (partial) Movies folders on Flash drives.

     

    The Genius Bar guys didn't seem to know about Flashback, but their recommended solution was to un-install Office and Quicken, re-load Snow Leopard, run the updates and then try to re-install Office and Quicken, which I tried.  Everything went great.  The re-install of Office even started off great (i.e., it didn't crash like before) UNTIL it dowloaded Rosetta as part of the re-install at which point it immediately crashed.

     

    So, it looks like, on top of everything else, I'll need to upgrade to later versions of Office and Quicken.

Previous 1 2 3 4 Next