Thanks a brody. I've already upgraded my Macs which were clean (if nothing else because I've used Little Snitch for many years). Unfortunately that won't address infected 10.5.8 machines. If I can get a hold of the computer affected I'll do a FireWire target disc backup (just for extra data safety) and then install 10.6 presuming that would cure the problems she is having.
Welles Goodrich wrote:
Thanks. None of this relates to an already SNAFUed computer, though. The best strategy I can see is upgrade the affected computer to 10.6 and just put a new OS on there.
Simply installing a new system will not open up that user account. If there is another admin account, some have been able to clear the problem with a terminal command. Others have used Single User Mode (holding Command-S at startup) and a similar command to clear up similar problems. I'm still waiting on one of the Kaspersky victims to get back to me on whether that worked or not.
My recommendation would be to follow Linc Davis' advice:
1. Back up all data to at least two different devices, if you haven't already done so.
2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.
3. Install the Mac OS.
4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.
5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.
6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. This is where restoring becomes difficult, and I can only give general guidelines.
Of the top-level subfolders of Library that are visible in the Finder, I think it’s safe to restore the following, which contain most of the data you’d want to keep:
Mail (except Mail/Bundles)
Safari (except Safari/Extensions)
The following are not safe to restore, at least not in full:
If you have Time Machine snapshots of these folders that you’re sure are older than the infection, you can restore from one of those snapshots.
Folders not mentioned above may or may not be safe. If in doubt, don’t restore them. Don’t restore any hidden files or folders, no matter where they are. Hidden files should be considered suspicious.
8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.
9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.
10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.
BTW, the tool was pulled today with apologies and a promise to replace it. I hope they don't.
Thanks MadMacs0, that was helpful. I've also contacted Kapersky tech support via the email link found here...
Additionally I have a thread going on the Kapersky support forum which has had a couple of responses but no solution other than the updated removal tool.
I hope there is a simpler solution than a complete rebuild but will keep posting anything of value here.
Well there has been a resolution of this particular computer's problem. She took her Mac to Apple store and they said her "Finder" was gone. They copied her data to an external hard drive, zeroed out her computer and re-installed it as far as I could tell from her description. (That info was passed on to me from her father. It was very good news.)
PS This kind of support is part of the reason Apple is such a successful company.