How to remove OSX.Flashback-8?

I have been infected with a OSX.Flashback-8 based on ClamXav. I need help removing it. I am not a Unix user, so I am having trouble finding and removing files from another user account. Please help.
Here is a summary of what has happened in order:
1- Skype would give an error "Skype quit unexpectedly".
2- Then I noticed Office gave the same error.
3- I joined the Skype quit discussion: https://discussions.apple.com/thread/3080937?start=15&tstart=0
4- Disk utility also found and repaired disk permissions. (see more on this on the previous thread)
5- Based on advice I received from folks on that site; I installed ClamXav. (Sophos wasn't finding anything).
6- Then using Terminal I did:
bash-3.2$ ls -a /Users/Shared
.                       .libgmalloc.dylib       SC Info
..                      .localized
.DS_Store               CV-CoverLetter
bash-3.2$ ls -a ~/
.CFUserTextEncoding
.DS_Store
.MacOSX
.Trash
.Xauthority
.anyconnect
.bash_history
.dropbox
.fontconfig
.null
.serverauth.982
.swt
Desktop
Documents
Downloads
Dropbox
...followed-by all my personal folders in this location.
7- I found out "This is almost a sure sign of infection by the Flashback Trojan. "
8- ClamXav found a "heuristics.phishing.email.spoofeddomain" in an 1469.emlx IMAP email account.
9-  Current day:
My problem got worse. I moved /Users/Shared/.libgmalloc.dylib into another directory.
bash-3.2$ cd /Users/Shared
bash-3.2$ mv .libgmalloc.dylib ~/Documents/Quarantine
It locked me and I couldn't do anything else. Got these messages.
dyld: could not load inserted library: /Users/Shared/.libgmalloc.dylib
Trace/BPT trap
bash-3.2$ ls -a /Documents/Quarantine
dyld: could not load inserted library: /Users/Shared/.libgmalloc.dylib
Trace/BPT trap
bash-3.2$ ls -a ~/
dyld: could not load inserted library: /Users/Shared/.libgmalloc.dylib
I tried rebooting. Now I can't even log in anymore. I created another admin account and am trying to change users on Unix shell to log in as the initial user and try to move back the .libgmalloc.dylib.
10- I am running ClamXav on the second admin user account I created. It found: OSX.Flashback-8
Now, I really need help figuring out how to remove this, and access my first admin account.
I am very new to Unix. Have been trying "su username" but it doesn't accept my password. Can you possibly send me a short script to get me to:
1- switch users to the old user account, so I can access the files
2- view and move the .libgmalloc.dylib file into the old location.
3- tell me the way to remove OSX.Flashback-8?
My plan is to log in to the old account, delete all files.
Alternatively, can you tell me how to:
- Remove this user completely.
- OR go back to the original factory settings and start all over.
I am not worried about losing data. All was backed-up.
Please help. I really want to be done with this issue once and for all.
Thanks much

You installed a variant of what’s commonly called the “Flashback” malware, although the name is obsolete.
If you’re certain you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.
How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.
If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. There are differences of opinion on this site as to the best of course of action, so you should do your own research before deciding how to proceed.
I suggest you take the following steps:
1. Back up all data to at least two different devices, if you haven't already done so.
2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.
3. Install the Mac OS.
4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.
5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.
6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if (a) they’re visible in the Finder, and (b) you know what they are, and (c) they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.
7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.
8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.
9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.
10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.

Similar Messages

  • How to remove OSX error/fake space on HD.

    So the only real problem I've had with OSX, is that sometimes if you quit a partitoning, in thise case I stopped a Boot Camp partioning, but this can also happen when deleting things like Virtual Machines. I did both today, and now I have around 100GB of air, that can not be removed. Basically Disk Utility and everything else says that there is over 100GB of "other" which is the virtual machine I deleted + the failed partion that disappeared and somehow went into my main partion. So I'm asking, cause this is the 1 issue I've had with OSX, and it's really annoying, cause this is like the 3rd time I'll have to reinstall everything.. Is there a way to fix this?

    What?? What does that have to do with anything, and it's not my fault that there is no way provided to uninstall some things in OSX.

  • Can someone please tell me how to remove norton from my Mac.i am using osx 10.5.8

    Can someone please tell me how to remove norton from my Mac.i am using osx 10.5.8

    Norton Removal Tool (Symantec Uninstaller):
    http://www.symantec.com/business/support/index?page=content&id=TECH103489&locale =en_US

  • Does the latest osx update remove the flashback malware

    Does the latest osx update remove the flashback malware?

    From Thomas A. Reed's post:
    There is malware (called Flashback) that has been actively taking advantage of Java vulnerabilities on Macs, installing as a drive-by download with no user interaction required when visiting a malicious web site.  Apple's latest Java update patches these vulnerabilities, though it's still possible for that malware to use social exploits to trick you into installing it.  You would do best to turn off Java in your web browser...  you probably won't miss it at all.
    See:
    http://www.reedcorner.net/news.php?tag=flashback

  • How to remove magicjack plus osx  10.7.5

    Hello,
    I am new to Mac and I am not a Unix system programmer.
    I purchased a MagicJack Plus for my sister and I set it up using my new iMac for her. Now I would like to remove the setup software from my iMac as I do not like to leave extraneous software on my machine.  Also, MagicJack seems to be even more clueless than me, which I find VERY disturbing.
    I.  I viewed and attempted to execut instructions outlined in "How do I uninstall magicJack from my computer?" on MJ wesite as follows:
    Download CompleteUninstall.sh. After the download is complete, open a terminal window by navigating to /Applications/Utilities/Terminal.
    In the Terminal Window, navigate to your download directory (usually Downloads) by typing cd Downloads and pressing enter. Next, type chmod+x CompleteUninstall.sh and press enter. Now type ./CompleteUninstall.sh and press enter again.
    For reference the CompleteUninstall.sh script contains the following:
    #!/bin/sh
    # instalator files
    rm -rf ~/.magicJack
    rm -rf ~/MJInstlogs
    rm -rf ~/Desktop/Start\ magicJack.app
    # softphone files
    rm -rf ~/Library/Preferences/magicJack
    # WebKit cache
    rm -rf ~/Library/Caches/magicJack
    II.  This is results:
    Last login: Tue Apr 23 11:36:11 on ttys000
    Larrys-iMac:~ ldwalker$ cd Downloads
    Larrys-iMac:Downloads ldwalker$ chmod+x CompleteUninstall.sh
    -bash: chmod+x: command not found
    Larrys-iMac:Downloads ldwalker$
    The change ownership command failed, I presume because the path to the Unix Commands directory is not set? If so, how do I set it and then reset everything back to current defaults?
    Thanks in advance for any help you can provide!

    baltwo,
    Thanks VERY much.......this solved my problem. 
    I just cut and pasted the command into my terminal session.  I assumed the format was correct as the exact same command set format was used on several different web sites giving instructions on how to remove the magicjack software.
    Amazing how incorrect info gets propagated around the web!

  • Does anyone know how to remove pop up, malware and virus form OS X 10.9.5, there is a lot of pop up on my mac book air.

    Does any one know how to remove pop up and malware. There is a lot of pop up on my mac book air OSX 10.10

    Helpful Links Regarding Malware Problems
    If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide and AdwareMedic.
    Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.
    The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.
    Fix Some Browser Pop-ups That Take Over Safari.
    Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.
    Quit Safari
    Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.
    Relaunch Safari
    If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.
    This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.
    An excellent link to read is Tom Reed's Mac Malware Guide.
    Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
    See these Apple articles:
      Mac OS X Snow Leopard and malware detection
      OS X Lion- Protect your Mac from malware
      OS X Mountain Lion- Protect your Mac from malware
      OS X Mavericks- Protect your Mac from malware
      About file quarantine in OS X
    If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)
    From user Joe Bailey comes this equally useful advice:
    The facts are:
    1. There is no anti-malware software that can detect 100% of the malware out there.
    2. There is no anti-malware that can detect everything targeting the Mac.
    3. The very best way to prevent the most attacks is for you as the user to be aware that
         the most successful malware attacks rely on very sophisticated social engineering
         techniques preying on human avarice, ****, and fear.
    4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
        your computer is intended to entice you to install their malware thinking it is a
        protection against malware.
    5. Some of the anti-malware products on the market are worse than the malware
        from which they purport to protect you.
    6. Be cautious where you go on the internet.
    7. Only download anything from sites you know are safe.
    8. Avoid links you receive in email, always be suspicious even if you get something
        you think is from a friend, but you were not expecting.
    9. If there is any question in your mind, then assume it is malware.

  • Remove the flashback logs in EBS envoirnment.

    Hi,
    In my production database(primary) machine flashback is ON.
    So, logs are creating in following directory:
    /d01/silprod/SILP/db/apps_st/data/archives/SILP01_SER/flashback
    In my physical standby database flashback is OFF.
    So, My question is that:
    Can I remove the flashback logs from production safely?
    Thanks.

    Hi,
    How to identified that which archive logs no longer needed and can delete, and how to reclaim the archive space?
    Is below steps are correct?
    Archive location: /d01/silprod/SILP/db/apps_st/data/archives/SILP01_SER/archivelog
    Archive files name like: o1_mf_1_894_5jpkly8k_.arc -------------> Sequence#=894
    Archive Size occupied:
    > du -sh archivelog/ ------------> 2.7G archivelog/
    STEP#1:
    SQL> SELECT THREAD#, SEQUENCE# FROM V$LOG WHERE STATUS='CURRENT'; -----------> RESULT: THREAD#=1 AND SEQ$= 894
    SQL> ALTER SYSTEM ARCHIVE LOG CURRENT;---------------->DONE
    SQL> SELECT THREAD#, SEQUENCE# FROM V$LOG WHERE STATUS='CURRENT'; -----------> RESULT: THREAD#=1 AND SEQ$= 895
    Confirm the current file have been applied to the standby database with the below query
    SQL> SELECT MAX(SEQUENCE#) FROM V$LOG_HISTORY; -----------------> RESULT: THREAD#=1 AND SEQ$= 894
    Step#2:(Memory)
    > delete unwanted archive log files from disk (rm, del commands)---------> all archives files deleted expected of PROD_1_894.arc
    RMAN> crosscheck archivelog all; - marks the controlfile that the archives have been deleted
    RMAN> delete expired archivelog all; - deletes the log entries identified above.
    But, How to identified that which flashback files no longer needed and can delete, and how to reclaim the flashback space?
    Flashback location: /d01/silprod/SILP/db/apps_st/data/archives/SILP01_SER/flashback
    Flashback files name like: o1_mf_5jlc8gb0_.flb, o1_mf_5jlcb2bv_.flb etc ------------> how to identified which file(File Name has no sequence#) should I delete?
    Flashback Size occupied:
    > du -sh flashback/ ------------> 3.5G flashback/

  • How to remove automatically launched items/apps?

    Sorry if this is a duplicate question.
    Actually i didn't find best answer for disabling items that automatically lauched when osx starting.
    I've been removed all startup items from login startup items (System Preferences - User & Groups - Login Items).
    Nothing found on StartupItems folder (Library - Startup Items) too.
    But some items still automatically launched on Mac start (such as Splashtop Streamer, Busycall).
    How to remove those startup items without completely uninstalling them?
    Any help would by appreciated.

    Those are system modifications, and if you want them to do what they do, they have to load at startup. If you don't like what they do, remove them according to the developer's instructions, or refer to the developer for support.

  • How to remove latest java virus?

    How to remove latest java virus manually as reported in the media?

    There is some incorrect information being presented in this thread.
    Neither your system nor Java is  updated daily. XProtect on 10.6 or above may get automatic updates as they are pushed out by Apple, but not necessariy daily. I have seen a week or more go by without any, and there have been none for the latest Flashback attack.
    There are now Java updates for 10.6.8 and 10.7 to patch the vulnerability that is currently being exploited. This Trojan does not necessarily require your password or any user interaction for infection.
    Use Software Update to see if there is a Java update for your OS.
    The github Flashchecker is inaduate as it depends on outdated definitions.
    Try using this one, which is most certainly more current.
    http://www.f-secure.com/weblog/archives/00002346.html
    Apple is currently developing a detection and removal tool. No idea when it will be ready.
    http://support.apple.com/kb/HT5244

  • How to remove viruses

    Is there a virus remover for macs?

    Not really needed, but see:
    Helpful Links Regarding Flashback Trojan and Virus Protection
    An excellent link to read is Tom Reed's Mac Malware Guide.
    A link to a great User Tip about the trojan: Flashback Trojan User Tip.
    To check for the trojan: Anti Flashback Trojan 2.0.4.
    A Google search can reveal a variety of alternatives on how the remove the trojan should your computer get infected. This can get you started. Or the preferred method is to use Apple's protection tool: Flashback Malware Removal Tool 1.0.
    Or, open Software Update. If you do not have the Apple protection software installed it will download and install it via Software Update. If no update appears that means you either already have it installed or it isn't needed for your system. The software is only available for Leopard, Snow Leopard, and Lion versions of OS X.
    Also see Apple's article About Flashback malware.
    For general anti-virus protection I only recommend using ClamXav.
    For the DNS Changer malware see the following:
    Will your internet service cut off on July 9?
    DCWG | DNS Changer Working Group
    How to remove the DNS Changer malware

  • How to remove Mighty Mouse software...

    Does anyone know how to remove the Mighty Mouse software and go back to the default mouse preferences pane that came with OSX?
    thank you
    David

    I have had this same problem. I had Tiger, and my mighty mouse worked fine. But then I installed the CD that came with it and it ruined the mouse pref pane so that it looked like you were using the mighty mouse in 10.3.9.
    I had no fix to this, but when I got my wireless mighty mouse and installed the software, it restored the preferance pane and now my wired mighty mouse has the tiger features again.

  • Could someone please explain how to check for flashback, to a beginner?

    Could someone please explain how to check for flashback, to a beginner?  Thanks.

    Install all of the available software updates.  If you have flashback it will be automatically removed.

  • Firefox hangs on opening requiring force quit I have snow leopard mac It hangs when I try safe mode. I need to know how to remove all traces of firefox on my mac so I can reinstall. I have tried terminal as advised on firefox webpage. Please advise m

    Firefox hangs on opening requiring force quit I have snow leopard Mac It even hangs when I try safe mode. I need to know how to remove all traces of firefox on my mac so I can reinstall. I have tried terminal as advised on firefox webpage. Please advise me
    == This happened ==
    Every time Firefox opened
    == I tried to update firefox add-ons ==
    == User Agent ==
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_3; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7

    Try a new profile. See [[Recovering important data from an old profile]]

  • ALV .  How to remove the sort buttons on toolbar in ALV report?

    Hi,experts
      As you know, in default case , the alv report will display two sort buttons(ascending ,descending) on its toolbar , So How to remove the sort buttons on toolbar in ALV report?
      Thanks for your help .

    Hi guixin,
    1. Before calling REUSE_ALV_LIST_DISPLAY
    2. Write this code :
    data : excl type SLIS_T_EXTAB.
    data : exclwa type SLIS_EXTAB.
    exclwa = '&OUP'.
    append exclwa to excl.
    exclwa = '&ODN'.
    append exclwa to excl.
    3. Then while calling the FM,
       pass this parameter also .
    IT_EXCLUDING     = excl
    It will work fantastic.
    regards,
    amit m.

  • How to remove blank pages from WebI Report in view page layout option

    Hi,
             I am working in Business Objects XIR2 environment. I have a WebI report with several sections. I need to show the report as a book with 69 sections (each section on new page). there are 69 sections on cost center and each cost center section has almost 10 sections embedded in it. When i see in regular view - I only see 69 pages but when I try to see in "View Page Lay out" option, there is one blank page added after each results page.
    Please let me know how to remove this blank page. I need to give users the option to download the book as PDF on to their machine. Now, when I download to my machine, I see one blank page after each results page.
    Thanks in advance.

    Jus convert your report in Page Layout mode and see if your first pafe is getting expand in the second page.
    Now check if there are any cell going into second page.
    - if there are any blank cell which is there after table.
    you have to check formating very carefull.

Maybe you are looking for

  • [Solved] TV overscanning - Now w/o Audio

    I've recently installed arch and am fairly inexperienced with linux in general. I'm attempting to set up arch to work with my TV, however, it seems to be overscanning, and therefore cropping about an inch from each side of the screen. I've been scowe

  • Hard drive not appearing during restore from Time Machine?

    While attempting to restore Time Machine from an external drive to my new MacBook Pro, the hard drive doesn't appear in the graphic.  A second external drive I have does appear, but not the Macintosh HD.  Suggestions?

  • How to mass-reindex files with same name but different file extensions

    (reposting cos I'm confused about if I posted in the proper place before. Please delete if it is a repost.) So I'm on a remote workflow. I pick all the raw data and convert it in two quality standards, one on 'high' with full specifications and one o

  • Abap report  Error

    Hi I generated a report and I found that it is syntactically correct also execution is successful but when I executed the same program after 10 minutes a blank screen appears stating that [Abap Runtime Error    Error Code    - SQL error in the databa

  • Itunes says its useing the latest version but when i try to update my iphone it says i need a newer version

    When I plug in my iPhone to update it I'm told to update itunes but when i check for updates it says it is useing the latest version. I went to apple webpage and downloaded 10.5 and restarted my computer but itunes still says version 10.4. something