Malware blocking safe mode/updates/filevault

this part is normal:

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

the last line is an IPV6 entry, it is reseverd by the system.

but

your hosts file is blocking these sites:

127.0.0.1 swscan.apple.com

127.0.0.1 swquery.apple.com

127.0.0.1 swdownload.apple.com

127.0.0.1 swcdn.apple.com

127.0.0.1 swdist.apple.com

These are update sites and would prevent securities patches from Apple from being available among other things.

simply deleting these and saving the file with the removal of these then updating would be my recommended course.

If you have a hosts file from a previous backup you could also use that, buy this looks like something altered it, either malware, adware or some rouge install.

so use terminal command cat /etc/hosts all words are small there is space after cat . hey enter after typing this command in terminal - restart from apple logo a dollar file will come in trash . empty trash by : shift + command + delete - hit enter .

or if i worm is there go to system library - application support - java w or it is best to remove contents of application support from user library . all contents are recreated once again by restarting from apple logo hope so malware should be removed . try this command it will never harm safari .

You installed the "iWorm" trojan. The following procedure may leave a few small files behind, but it will permanently deactivate the trojan, as long as you never reinstall it.

"iWorm" is known to be distributed via BitTorrent in the form of a pirated Adobe product. If you've ever downloaded any software from a torrent, delete it. I suggest you delete the torrent client as well, to avoid making the same mistake again. If you know of any other way in which you might have been infected, please give details. That information may help others.

While "iWorm" was present, your computer may have been under the remote control of criminals. Change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

According to reports, iWorm is no longer under the control of its originator.

Others may tell you that you should erase the startup volume, reinstall OS X, and restore only user data from a backup in order to be sure that you're rid of the malware. All other software would then have to be reinstalled from fresh downloads or original media. You can do that if you wish, but I've seen no evidence that it's necessary. If you choose that option, you can skip the rest of this comment. Ask for guidance if you need it.

Back up all data before proceeding. If you have more than one user account, you must be logged in as an administrator.

Step 1

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons/com.JavaW.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.JavaW.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash. Then delete the following item in the same way:

/Library/Application Support/JavaW

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

Step 2

The trojan hacks the system to block software updates from Apple. The file modified is /etc/hosts.

The easiest way to fix the hosts file is to restore it from a backup that predates the modification, or to copy the unmodified file from another Mac. If you can't do that, then do as below.

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Paste into a Terminal window by pressing command-V. A TextEdit window should open. At the top of the window, you should see this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost

Below that, you may see some other lines. The first 9 lines should be exactly as above, apart from differences in the blank space within lines. Otherwise you can't use this procedure—STOP and ask for guidance.

If the contents of the TextEdit window are as described, close it, then enter the following command in the Terminal window in the same way as before (by copy and paste):

sudo sed -i~ '10,$d' /etc/hosts

You may be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. Quit Terminal.

If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.

That will fix the hosts file. There is now a copy of the old hosts file with the name "hosts~" in the same folder as "hosts". You can delete the copy if you wish. Don't delete the file named "hosts".

do sudo commands work in normal mode or they can be executed in root user account only . secondly what is the way to remove rom - 0 - 1 malware that is in download folder any terminal command is there or manual method . your guidance will help us . plz do so

in top menu bar : press finder - keep on holding option key don't release it - click on library - go to preferences folder - find java w plist or if v search is there if found trash it , also sometimes in user library a folder named containers is there - see any java w is there or v search . if found delete it .

also in hard disk : click on go - computer - mac hd - system - library : find a folder framework : remove only v.framework , v search.framework if found delete other things are never to be removed from here .

1. defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Hopefully, you’ll get the following response: The domain/default pair of (/Users/<yourusername>/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist - congrats

1. lets double check - cpu is clean
2. defaults read /Applications/Safari.app/Contents/Info LSEnvironment : does not exist means - congrats - means no virus is in system
3. defaults read /Applications/Firefox.app/Contents/Info LSEnvironment : it should again state - congrats
4. type the first command & verify what it shows , after that second , & third . do not type all commands at a time , they should be typed separately

this the way how to find out mac has a virus but in rarest case virus ( .exe , db , txt files appear means locked files ) appear in mac computers as viruses always replicate ( multiply ) it self .try the commands & let us know

sudo commands always work in root user account . so go to root user account . in terminal type : sudo su : there is space after sudo both words are small , then hit enter . it will ask your username password enter it , then again in terminal type another command : cd directory there is space after cd both words are small - hit enter .

in finder you must see a locked file like .jpeg or .db , txt .

now 3 rd command : type rm -f drag and drop the locked file next to rm - f .note there is space after rm , both words are small

so final command will be : rm -f : hit enter after that click enter & exit the command .

but sudo commands are never to be run if one is not experienced ( avoid it ) .

It still won't allow me to boot in safe mode through sudo commands in terminal either

Why do you need to do that? Why are you running random shell commands that make no sense? If you fixed the hosts file and "iWorm" is already gone, you don't need to do anything else.

None of that is related to "iWorm."

Please read this whole message before doing anything.

This procedure is a diagnostic test. It’s unlikely to solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

The purpose of the test is to determine whether the problem is caused by third-party software that loads automatically at startup or login, by a peripheral device, by a font conflict, or by corruption of the file system or of certain system caches.

Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

Test while in safe mode. Same problem?

After testing, restart as usual (not in safe mode) and verify that you still have the problem. Post the results of the test.