1 2 3 4 Previous Next 50 Replies Latest reply: Apr 13, 2012 4:11 PM by walterfromct Go to original post
  • 30. Re: Non-Apple Software No Longer Works
    Linc Davis Level 10 Level 10 (117,990 points)

    You only need the drive to restore. You can detach it until you're ready to do that.

  • 31. Re: Non-Apple Software No Longer Works
    Joel Bruner1 Level 1 Level 1 (30 points)

    Sounds like your coputer has a totally unrelated problem but everyone thinks it THE VIRUS!!!!!!

     

    I'd say:

    Reboot, hold down Command-S

    at the command prompt: fsck -fy

     

    See if you have disk corruption

     

    Then type in: reboot

     

    On reboot hold down Shift

    This will do a safe boot and also clean out the caches

     

    If you get to the login screen great.

    If not, gold down power, then power back on

    Hold down Command-V - for verbose mode

    See where you get stuck in the boot process.

     

    The fact that apps didn't launch doesn't mean you have a virus necessarily

  • 32. Re: Non-Apple Software No Longer Works
    noondaywitch Level 6 Level 6 (8,130 points)

    Post withdrawn

     

    Message was edited by: noondaywitch

  • 33. Re: Non-Apple Software No Longer Works
    Linc Davis Level 10 Level 10 (117,990 points)

    Sounds like your coputer has a totally unrelated problem but everyone thinks it THE VIRUS!!!!!!

     

    Everyone who knows what he's talking about thinks it's THE VIRUS!!!!!! That's because it is THE VIRUS!!!!!!

     

    From the crash report on the first page of this thread:

     

    could not load inserted library: /Users/Shared/.libgmalloc.dylib

     

    That's proof of infection with a Flashback variant (type 2.)

  • 34. Re: Non-Apple Software No Longer Works
    MadMacs0 Level 4 Level 4 (3,725 points)

    Badunit wrote:

     

    According to f-secure, the Flashback trojan checks for older versions of Office and deletes itself without infection if it detects any of them (unless you gave it your admin password).

    That's only true for Office 2008 and 20011 or if you have Word in your /Applications/ folder and not nested in another folder.

    The link below is an interesting read on the installation process of Flashback, if you are interested in that kind of thing.

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    That document does not cover the current variant. You should be reading http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which covers what we believe is the current variant which has been around since the last week in March.

  • 35. Re: Non-Apple Software No Longer Works
    Joel Bruner1 Level 1 Level 1 (30 points)

    Ah sorry - missed that...

     

    So then...

    Reboot.

    Command-S

     

    #if you need to check filesystem

    fsck -fy

     

    #mount the file system as writeable

    mount -uw /

     

    #delete the offending library

    rm -rf /Users/Shared/.libgmalloc.dylib

     

    Then there is no library to load...  even though it appears to have failed loading and what was causing the crashes...

     

    And go through F-Secure's checklist: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • 36. Re: Non-Apple Software No Longer Works
    MadMacs0 Level 4 Level 4 (3,725 points)

    Joel Bruner1 wrote:

     

    Ah sorry - missed that...

     

    So then...

    Reboot.

    Command-S

     

    #if you need to check filesystem

    fsck -fy

     

    #mount the file system as writeable

    mount -uw /

     

    #delete the offending library

    rm -rf /Users/Shared/.libgmalloc.dylib

     

    Then there is no library to load...  even though it appears to have failed loading and what was causing the crashes...

    And the user will be locked out of his account because the loader won't be able to find the dylib as happend earlier this morning

    And go through F-Secure's checklist: http://www.f-secure.com/..._osx_flashback_i.shtml

    That information has been obsolete and does not refect the current variant which has been infecting since the end of March! The correct reference can be found at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which has been out for over a week now.

     

    DO NO HARM!

  • 37. Re: Non-Apple Software No Longer Works
    Joel Bruner1 Level 1 Level 1 (30 points)

    Deleting a maliscious dylib won't lock a user out.

    How would it?

    But what do I know...

     

    "DO NO HARM"

     

    Oh lord, so self-righteous, deleting an errant dylib that's being injected through an infected Info.plist isn't doing harm, that's how you get rid of the infection... But hey, listen to the man with 595 points, I only have 10...

     

    Feel free to lead the man through time machine restores, reinstalls, and other fun exercises...

     

    I don't know why I even bothered... my bad.

    Saw this post linked from the "About Flashback" Apple page and popped in...

     

    You guys have it all under control.

  • 38. Re: Non-Apple Software No Longer Works
    MadMacs0 Level 4 Level 4 (3,725 points)

    Joel Bruner1 wrote:

     

    Deleting a maliscious dylib won't lock a user out.

    How would it?

    As I said by leaving the dylib loader command in ~/.MacOSX/environment.plist. There are dozens of examples here in the forum, at least one each of the last two days. Today's example is here thanks to Kaspersky.

     

    It's just that I am warn out trying to chase incorrect information. Every tool posted on the internet until a few minutes ago was originally based on an incorrect reference to a mostly obsolete variant of this thing. That along with various users dropping by with incomplete information have probably ruined more users' days than has the malware itself.

     

    Sorry to have come down on you, but at that point I had already tried to put out fires by contacting three developers about their tools and one or two other well meaning users that complicated an infected users' life.

     

    I realize that Intego is trying to sell software here, but after my experiences here, these words ring very true to me:

    A number of web sites have been circulating information telling users how to find out if they are infected with the Flashback malware. Since these instructions include a number of obscure commands to be run in Terminal, several developers have released free applications that users can run to check their Macs, without needing to know how to use Terminal.

    Unfortunately, this information can be misleading, because the instructions that circulate discuss just one variant of the Flashback malware. There are some two dozen variants already, each of which puts files of different names in different locations; these instructions and applications will therefore not find any but the one specific variant that they target.

    These instructions may instill a false sense of security in users who follow them, or who run applications that use them. A user may be told that he or she is not infected, when their Mac may actually be infected, but just by a different variant. Finally, these instructions are all the more worrisome because information on the Internet has a long life-span. Users who find this information in a month or two may still think that it is valid.

  • 39. Re: Non-Apple Software No Longer Works
    drummerboy47 Level 1 Level 1 (0 points)

    I'm locked out. I used the Kapersky tool and I can't login properly. I figured out how to login as root user an it works fine. Can anybody tell me how to fix my normal account?

  • 40. Re: Non-Apple Software No Longer Works
    MadMacs0 Level 4 Level 4 (3,725 points)

    drummerboy47 wrote:

     

    I'm locked out. I used the Kapersky tool and I can't login properly. I figured out how to login as root user an it works fine. Can anybody tell me how to fix my normal account?

    I tested this command out this morning as a secondary admin user and it worked with sudo, so should work for you. Just fill in the <lockedoutuserID>

     

    defaults delete /Users/<lockedoutuserID>/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • 41. Re: Non-Apple Software No Longer Works
    Joel Bruner1 Level 1 Level 1 (30 points)

    Yeah, right environment.plist that old thing, forgot about that... I'll try and pay more attention to long threads, my bad... once these things start squirreling themselves away they tend to illuminate the old crufty corners of OS X:

    https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPRunti meConfig/Articles/EnvironmentVars.html

    http://developer.apple.com/library/mac/#qa/qa1067/_index.html

     

    I'm gonna go out on a limb here and say nuke the whole **** thing (environment.plust), I've yet to see an app that actually uses it! Deleting DYLD_INSERT_LIBRARIES is just deleting one key in environment, what's in the rest of it?

     

    #read it all

    defaults read /Users/username/.MacOSX/environment

     

    #move it out to the Desktop

    mv /Users/username/.MacOSX/environment.plist /Users/username/Desktop

     

    #move it back in case there's lots of great stuff in there you really need

    mv /Users/username/Desktop/environment.plist /Users/username/.MacOSX/

     

    #what else is in your home folder? lists all files including dot files

    ls -la /Users/username

     

    #anything else in .MacOSX?

    ls -la /Users/username/.MacOSX

     

    #nuke the whole crufty mess

    rm -rf /Users/username/.MacOSX

     

    YMMV

    Also above commands are assuming you are either in single user mode, or in another account logged in as root with sudo -s

  • 42. Re: Non-Apple Software No Longer Works
    MadMacs0 Level 4 Level 4 (3,725 points)

    Joel Bruner1 wrote:

     

    I'm gonna go out on a limb here and say nuke the whole **** thing (environment.plust), I've yet to see an app that actually uses it!

    BBEdit does and one user told us about another. There's a two day argument going on elsewhere about proper or improper use of environment.plist that seems to be going nowhere. There is even a segment of this forum that says get rid of .MacOSX as not needed and I suspect they are mostly correct.

  • 43. Re: Non-Apple Software No Longer Works
    walterfromct Level 1 Level 1 (0 points)

    Linc, etc.

     

    FYI.

     

    I sent Apple Security an e-mail describing my situation.

     

    Here's their response.

     

    "Thank you for reporting this. We truly appreciate your assistance in helping us to maintain and improve the security of our products.

     

    We are aware of this issue and have published detailed information at http://support.apple.com/kb/HT5244. We also will release software that will detect and remove the Flashback malware, and update the support article at that time. Further information on the security content of any release will also be posted at http://support.apple.com/kb/HT1222."

  • 44. Re: Non-Apple Software No Longer Works
    walterfromct Level 1 Level 1 (0 points)

    It looks like Apple has released its Flashback fix via a software update.

     

    Click on the 2nd link in my post, above, to read the description.

     

    I'm not sure it'll help me, though, because I can't boot/log-in as the infected user because of the script that went awry.

     

    Will give it a try, though, via the un-infected user.

     

    Maybe I ought to restore my machine to a point before I ran the script?

     

    Any advice?