Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: DougKW
DougKW Author
User level: Level 1
0 points

I broke Safari trying to get rid of Flashback malware. How do I fix it?

I foolishly tried following the instructions on the CNET site for finding if I have the Flashback malware and supposedly fixing it:

http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/?tag=mncol;txt


On the page, it says to run this command in Terminal and that if it returns a path result that you have the malware:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment


When I ran the above, it gave me the following:

"DYLD_INSERT_LIBRARIES" = "/Applications/safari.app/contents/resources/.PassmarkMonitorTestV.xsl"


Based on the instructions on the CNET site, I believed that this file was infected and I deleted it, even though it was a hidden file. I followed the rest of the instructions on the page as well, which would supposedly "reset" the infected application, but this didn't work.


I now can't run Safari, It would apear that the file deleted was necessary for it to run.


I tried downloading Safari from the apple.com website so that I can reinstall it, but when I ran the installer, it said I couldn't use it because there was a newer version already on my machine.


I'm running Mac OS X Snow Leopard. I'm not sure what version of Safari I'm running (I can't open Safari) but it must be higher than the version on Apple's site, which is 5.1.4.


Here is the Safari error report:

Process: Safari [516]
Path: /Applications/Safari.app/Contents/MacOS/Safari
Identifier: com.apple.Safari
Version: ??? (???)
Build Info: WebBrowser-75345503~2
Code Type: X86-64 (Native)

Parent Process: launchd [98]


Date/Time: 2012-04-05 21:14:59.436 -0400
OS Version: Mac OS X 10.6.8 (10K549)

Report Version: 6


Interval Since Last Report: 2686299 sec
Crashes Since Last Report: 13

Per-App Crashes Since Last Report: 7

Anonymous UUID: ******


Exception Type: EXC_BREAKPOINT (SIGTRAP)

Exception Codes: 0x0000000000000002, 0x0000000000000000

Crashed Thread: 0


Dyld Error Message:

could not load inserted library: /Applications/Safari.app/Contents/Resources/.PassmarkMonitorTestV.xsl


Binary Images:

0x7fff5fc00000 - 0x7fff5fc3be0f dyld 132.1 (???) <29DECB19-0193-2575-D838-CF743F0400B2> /usr/lib/dyld


How can I repair my Safari installation?


<Edited By Host>

MacBook (13-inch Aluminum Late 2008), Mac OS X (10.6.8)

Posted on Apr 5, 2012 6:23 PM

Reply
Question marked as Best reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Posted on Apr 5, 2012 6:40 PM

If you’re certain you know when the infection happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.


How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.


If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. There are differences of opinion on this site as to the best of course of action, so you should do your own research before deciding how to proceed.


I suggest you take the following steps:


1. Back up all data to at least two different devices, if you haven't already done so.


2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.


3. Install the Mac OS.


4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.


5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.


6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not whole folders with all their contents, and only if (a) they’re visible in the Finder, and (b) you know what they are, and (c) they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.


7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari Preferences… Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.


8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.


9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.


10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.

View in context
20 replies
User profile for user: Topher Kessler
Topher Kessler
User level: Level 6
9,905 points

Apr 5, 2012 9:37 PM in response to Linc Davis

Linc, the only thing that's obvious here is that you have no grasp on the situation, whereas I have been researching it extensively and have a good grasp of what is going on. You are doing nothing but instilling uneeded fear in people.


In this situation, should the file be malware then it has been removed and will not harm the system or the poster's data. At this point the problem is the program no longer launching properly, which can be easily fixed by reinstalling it from Apple's Web site (http://www.apple.com/safari), but which I am interested in finding a little more about if the OP has the broken program package around.


Your assumption of the worst is not the best advice here.

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Apr 6, 2012 2:13 PM in response to DougKW

Mac OS X versions 10.6.7 and later have built-in detection of known Mac malware in downloaded files. The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders. In most cases, there’s no benefit from any other automated protection against malware.


The most effective defense against malware is your own intelligence. All known malware that affects an up-to-date Mac OS system takes the form of trojans that can only operate if the victim is duped into running them. If you're smarter than the malware attacker thinks you are, you won't be duped. That means, primarily, that you never install software from an untrustworthy source. How do you know a source is untrustworthy?


  • Any website that prompts you to install a “codec,” “plug-in,” or “certificate” that comes from that same site, or an unknown site, merely in order to use the site, is untrustworthy.
  • A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim.
  • “Cracked” versions of commercial software downloaded from a bittorrent are likely to be infected.
  • Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. No intermediary is acceptable.


Disable Java (not JavaScript) in your web browser(s). Few websites have Java content nowadays, so you won’t be missing much. This setting is mandatory in Mac OS X 10.5.8 or earlier, because Java in those versions has bugs that make it unsafe to use on the Internet. Those bugs will probably never be fixed.


Follow these guidelines, and you’ll be as safe from malware as you can reasonably be.


Never install any commercial "anti-virus" products for the Mac, as they all do more harm than good. If you need to be able to detect Windows malware in your files, use ClamXav — nothing else.

Reply

I broke Safari trying to get rid of Flashback malware. How do I fix it?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up