11 Replies Latest reply: Apr 15, 2012 7:35 PM by Welles Goodrich
Welles Goodrich Level 4 (1,380 points)

A friend used the Kapersky Flashbackcheck.com site to check her MacBook running OS 10.5.8. The UID check indicated her computer was infected so she told me she downloaded and ran the first option that she presumes was the Flashback Removal software. After running it and restarting her computer the screen was blank. There wasn’t even a menu bar. However the Skype login popped up and that ‘suddenly’ made a menu bar appear giving her access to the normal Skype menus, Apple Menu, spotlight etc. A bit of rummaging around indicates that all her files are still there it is just that the desktop doesn’t launch (Finder problem maybe?) after multiple restarts. I don’t have access to the computer and am fairly helpless over the phone but I wondered if anybody has any educated guesses?



Thanks! Remember that I don't have the computer in hand so trying out suggested solutions will be a lengthy process. I won't be able to actually get the computer for a week as she is a student and out of town presently.

Mac Pro, Mac OS X (10.7.3), MacBook Pro, iPad 3G, iPod Touch
  • BDAqua Level 10 (122,242 points)

    Kaspersky might be the whole problem, just one report...



  • Welles Goodrich Level 4 (1,380 points)

    Thanks for that, BDAqua. It doesn't help my friend who has the problem now but is a good warning for other folks who have not yet jumped. I've also posted this question on the Kapersky forums so I'll report back with any info I find.

  • BDAqua Level 10 (122,242 points)


  • a brody Level 9 (65,743 points)

    Apple's most recent update is now out for 10.7 and 10.6.8 with a built-in removal tool.

  • Welles Goodrich Level 4 (1,380 points)

    Thanks a brody. I've already upgraded my Macs which were clean (if nothing else because I've used Little Snitch for many years). Unfortunately that won't address infected 10.5.8 machines. If I can get a hold of the computer affected I'll do a FireWire target disc backup (just for extra data safety) and then install 10.6 presuming that would cure the problems she is having.

  • a brody Level 9 (65,743 points)

    Welles, the best Apple can offer is how to disable Java in 10.5.8 or earlier at this point. 



    If that changes, I'll update my tip:


  • Welles Goodrich Level 4 (1,380 points)

    Thanks. None of this relates to an already SNAFUed computer, though. The best strategy I can see is upgrade the affected computer to 10.6 and just put a new OS on there.

  • BDAqua Level 10 (122,242 points)


  • MadMacs0 Level 5 (4,722 points)

    Welles Goodrich wrote:


    Thanks. None of this relates to an already SNAFUed computer, though. The best strategy I can see is upgrade the affected computer to 10.6 and just put a new OS on there.

    Simply installing a new system will not open up that user account. If there is another admin account, some have been able to clear the problem with a terminal command. Others have used Single User Mode (holding Command-S at startup) and a similar command to clear up similar problems. I'm still waiting on one of the Kaspersky victims to get back to me on whether that worked or not.


    My recommendation would be to follow Linc Davis' advice:

    1. Back up all data to at least two different devices, if you haven't already done so.


    2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.


    3. Install the Mac OS.


    4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.


    5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.


    6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. This is where restoring becomes difficult, and I can only give general guidelines.


    Of the top-level subfolders of Library that are visible in the Finder, I think it’s safe to restore the following, which contain most of the data you’d want to keep:











    Mail (except Mail/Bundles)

    Safari (except Safari/Extensions)


    The following are not safe to restore, at least not in full:


    Application Support

    Internet Plug-Ins




    If you have Time Machine snapshots of these folders that you’re sure are older than the infection, you can restore from one of those snapshots.


    Folders not mentioned above may or may not be safe. If in doubt, don’t restore them. Don’t restore any hidden files or folders, no matter where they are. Hidden files should be considered suspicious.


    7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari Preferences… Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.


    8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.


    9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.


    10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.



    BTW, the tool was pulled today with apologies and a promise to replace it. I hope they don't.

  • Welles Goodrich Level 4 (1,380 points)

    Thanks MadMacs0, that was helpful. I've also contacted Kapersky tech support via the email link  found here...


    http://www.kaspersky.com/about/news/product/2012/Kaspersky_Lab_Fixes_Flashfake_R emoval_Tool_Releases_Updated_Version


    Additionally I have a thread going on the Kapersky support forum which has had a couple of responses but no solution other than the updated removal tool.


    http://forum.kaspersky.com/index.php?s=0ce8645e826dcfab8b465bc21703863d&showtopi c=233441


    I hope there is a simpler solution than a complete rebuild but will keep posting anything of value here.



  • Welles Goodrich Level 4 (1,380 points)

    Well there has been a resolution of this particular computer's problem. She took her Mac to Apple store and they said her "Finder" was gone. They copied her data to an external hard drive, zeroed out her computer and re-installed it as far as I could tell from her description. (That info was passed on to me from her father. It was very good news.)





    PS This kind of support is part of the reason Apple is such a successful company.