Welles Goodrich wrote:
Thanks. None of this relates to an already SNAFUed computer, though. The best strategy I can see is upgrade the affected computer to 10.6 and just put a new OS on there.
Simply installing a new system will not open up that user account. If there is another admin account, some have been able to clear the problem with a terminal command. Others have used Single User Mode (holding Command-S at startup) and a similar command to clear up similar problems. I'm still waiting on one of the Kaspersky victims to get back to me on whether that worked or not.
My recommendation would be to follow Linc Davis' advice:
1. Back up all data to at least two different devices, if you haven't already done so.
2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.
3. Install the Mac OS.
4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.
5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.
6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. This is where restoring becomes difficult, and I can only give general guidelines.
Of the top-level subfolders of Library that are visible in the Finder, I think it’s safe to restore the following, which contain most of the data you’d want to keep:
Audio
Calendars
ColorSync
Colors
Favorites
FontCollections
Fonts
Images
Keychains
Mail (except Mail/Bundles)
Safari (except Safari/Extensions)
The following are not safe to restore, at least not in full:
Application Support
Internet Plug-Ins
LaunchAgents
Preferences
If you have Time Machine snapshots of these folders that you’re sure are older than the infection, you can restore from one of those snapshots.
Folders not mentioned above may or may not be safe. If in doubt, don’t restore them. Don’t restore any hidden files or folders, no matter where they are. Hidden files should be considered suspicious.
7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.
8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.
9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.
10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.
BTW, the tool was pulled today with apologies and a promise to replace it. I hope they don't.
