Trouble Removing Flashback

[MVallee]

So I think i have the Flashback trojan. All week safari has been crashing because of the ".advancedwindowsmail.png" plug in. When I heard about the flashback virus I followed the instructions on f-secure and instead of getting a "does not exist" I got a path that lead to ".advancedwindowsmail.png".

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
I followed all the instructions listed in the above link to the best of my ability (not that proficient in terminal) and ended up where it did say "does not exist" which according to f-secure means "Your system is already clean of this variant".

About 10 minutes later Safari crashed because of the same plug-in which was supposed to be removed. I don't know what I did wrong. The only step I couldn't understand was "7. Delete the files obtained in steps 2 and 5". It doesn't say how to delete those files or where they are. I followed the path into safari.app/content/resources and it wasn't there. Did I do something wrong? Do I possibly have another variant as well?

Please help!

Edit: BTW, I'm running the latest version of Snow Leopard and have already installed the Java patch.

 

[GGJstudios]

So I think i have the Flashback trojan. All week safari has been crashing because of the ".advancedwindowsmail.png" plug in. When I heard about the flashback virus I followed the instructions on f-secure and instead of getting a "does not exist" I got a path that lead to ".advancedwindowsmail.png".

To easily check for the presence of the Flashback trojan, read this. If it's not there, you don't have the Flashback trojan.

 

[MVallee]

Ran the terminal commands and came up empty.

Searched the Info.plist and also came up empty

Then I checked for DYLD_INSERT_LIBRARIES and found a folder called ".MacOSX"

What do I do now?

 

[GGJstudios]

Ran the terminal commands and came up empty.

Searched the Info.plist and also came up empty

Then I checked for DYLD_INSERT_LIBRARIES and found a folder called ".MacOSX"

What do I do now?

Did you look in the folder for DYLD_INSERT_LIBRARIES? And are you certain it was ".MacOSX" and not "MacOSX"?

 

[MVallee]

Did you look in the folder for DYLD_INSERT_LIBRARIES? And are you certain it was ".MacOSX" and not "MacOSX"?

Inside the folder is just one file named "environment.plist" and yes its definitely .MacOSX

 

[GGJstudios]

Inside the folder is just one file named "environment.plist" and yes its definitely .MacOSX

For detailed removal instructions, read this.

 

[MVallee]

I already did follow those instructions. I posted the same link in my first post. I tried going through the steps again and it keeps saying "does not exist" but obviously if the folder is there and Safari still quits, it must be there somewhere.

Like I said before, the only step I could not understand was "7. Delete the files obtained in steps 2 and 5". It doesn't give any more details on that. I don't know where the files are that I'm supposed to delete.

 

[GGJstudios]

I already did follow those instructions. I posted the same link in my first post. I tried going through the steps again and it keeps saying "does not exist" but obviously if the folder is there and Safari still quits, it must be there somewhere.

Like I said before, the only step I could not understand was "7. Delete the files obtained in steps 2 and 5". It doesn't give any more details on that. I don't know where the files are that I'm supposed to delete.

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES

4. Otherwise, run the following command in Terminal:

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

5. Take note of the value after "__ldpath__"

Did you find either of these? Steps 1 and 4 tell you exactly where to look for those. If it says they don't exist and you've entered the Terminal commands properly, then why would you think they're there?

 

[MVallee]

I don't think you are understanding me. I ran both those commands and found files for both of them. I followed the rest of the steps from f-secure except for "Delete the files obtained in steps 2 and 5" because I didn't understand what that meant. When running the commands a second time it says "not found" so I assumed it was gone, until safari crashed because of the same file.

Now, I just did the whole "file visibility" thing because I figured that maybe the reason I couldn't find the files from step 2 & 5 was because they were invisible and sure enough, I found both of them so I deleted them like f-secure said to do. Well doing that crashed Safari and now It won't open again. I'm using Firefox for the time being.

It just keeps says "safari can't open because of a problem"

These are the problem details it shows.

Process: Safari [323]
Path: /Applications/Safari.app/Contents/MacOS/Safari
Identifier: com.apple.Safari
Version: ??? (???)
Build Info: WebBrowser-75345503~2
Code Type: X86-64 (Native)
Parent Process: launchd [95]

Date/Time: 2012-04-05 13:49:49.938 -0400
OS Version: Mac OS X 10.6.8 (10K549)
Report Version: 6

Interval Since Last Report: 91307 sec
Crashes Since Last Report: 10
Per-App Crashes Since Last Report: 3
Anonymous UUID: 75BD8CF7-C755-43CD-B037-D11B151066C4

Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Crashed Thread: 0

Dyld Error Message:
could not load inserted library: /Applications/Safari.app/Contents/Resources/.AdvancedWindowsMail.xsl

Binary Images:
0x7fff5fc00000 - 0x7fff5fc3bdef dyld 132.1 (???) <B536F2F1-9DF1-3B6C-1C2C-9075EA219A06> /usr/lib/dyld

Model: MacBookPro7,1, BootROM MBP71.0039.B0B, 2 processors, Intel Core 2 Duo, 2.4 GHz, 4 GB, SMC 1.62f6
Graphics: NVIDIA GeForce 320M, NVIDIA GeForce 320M, PCI, 256 MB
Memory Module: global_name
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x8D), Broadcom BCM43xx 1.0 (5.10.131.42.4)
Bluetooth: Version 2.4.5f3, 2 service, 12 devices, 1 incoming serial ports
Network Service: AirPort, AirPort, en1
Serial ATA Device: TOSHIBA MK2555GSXF, 232.89 GB
Serial ATA Device: MATSHITADVD-R UJ-898
USB Device: Built-in iSight, 0x05ac (Apple Inc.), 0x8507, 0x24600000 / 2
USB Device: Internal Memory Card Reader, 0x05ac (Apple Inc.), 0x8403, 0x26100000 / 2
USB Device: IR Receiver, 0x05ac (Apple Inc.), 0x8242, 0x06500000 / 3
USB Device: BRCM2046 Hub, 0x0a5c (Broadcom Corp.), 0x4500, 0x06600000 / 4
USB Device: Bluetooth USB Host Controller, 0x05ac (Apple Inc.), 0x8213, 0x06610000 / 5
USB Device: Apple Internal Keyboard / Trackpad, 0x05ac (Apple Inc.), 0x0236, 0x06300000 / 2

 

[gertruded]

I am with you mvallee. I don't understand how to delete the files or even what to call the files. Or how to type in a delete to get the files deleted.

The responders are assuming we know more about the terminal commands than we do. All the instructions say is to "note" something.

 

[GGJstudios]

Now, I just did the whole "file visibility" thing because I figured that maybe the reason I couldn't find the files from step 2 & 5 was because they were invisible and sure enough, I found both of them so I deleted them like f-secure said to do. Well doing that crashed Safari and now It won't open again. I'm using Firefox for the time being.

It just keeps says "safari can't open because of a problem"

These are the problem details it shows.

1. Right-click Safari.app
2. Show Package Contents
3. Enter adv in the search bar
4. Click the + under the search
5. Select File visibility > Visible or invisible
6. Check for a file called .AdvancedWindowsMail.xsl
7. If it's there, delete it.
8. Enter your admin password if prompted for it.
9. Save changes to Safari.app if you deleted that file

​

 

[MVallee]

I am with you mvallee. I don't understand how to delete the files or even what to call the files. Or how to type in a delete to get the files deleted.

The responders are assuming we know more about the terminal commands than we do. All the instructions say is to "note" something.

Exactly. I copied the paths to a TextEdit file and then when it said to delete them I followed the paths and there were no files to delete so I moved to the next step. When I figured out the files were invisible I found them and deleted them like it said to do and that messed thing up even more, so I wouldn't recommend doing that. I just re downloaded Safari and am re-installing it as we speak so hopefully that fixes things.

----------

1. Right-click Safari.app
2. Show Package Contents
3. Enter adv in the search bar
4. Click the + under the search
5. Select File visibility > Visible or invisible
6. Check for a file called .AdvancedWindowsMail.xsl
7. If it's there, delete it.
8. Enter your admin password if prompted for it.
9. Save changes to Safari.app if you deleted that file

View attachment 334380​

I did that and then that's what made safari quit and now it won't open at all.

----------

Ok so reinstalling Safari worked and thats back up and running. I don't know if its going to crash again or if I still have the trojan somewhere on my system. The .MacOSX folder is still there.

 

[GGJstudios]

Ok so reinstalling Safari worked and thats back up and running. I don't know if its going to crash again or if I still have the trojan somewhere on my system. The .MacOSX folder is still there.

Is there anything in that folder? Remember to include invisible files when you search. If it's empty, just delete the .MacOSX folder. Also, is the .AdvancedWindowsMail.xsl file in the newly-installed Safari.app?

 

[MVallee]

Is there anything in that folder? Remember to include invisible files when you search. If it's empty, just delete the .MacOSX folder. Also, is the .AdvancedWindowsMail.xsl file in the newly-installed Safari.app?

In the .MacOSX there is just a file called "environment.plist". I checked for the invisible files and thats the only thing that shows up.

I searched the new Safari.app and can't find the ".AdvancedWindowsMail.xsl" file.

Should I delete the folder and the environment.plist file?

 

[GGJstudios]

Should I delete the folder and the environment.plist file?

Definitely.

 

[MVallee]

Ok cool. Thank you so much for your help!

 

[GGJstudios]

Ok cool. Thank you so much for your help!

You're very welcome! For future reference:

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Mac Virus/Malware FAQ​

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Uncheck "Enable Java" in Safari > Preferences > Security. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Check your DNS settings by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. Never let someone else have access to install anything on your Mac.
   
   
7. Don't open files that you receive from unknown or untrusted sources.
   
   
8. Make sure all network, email, financial and other important passwords are complex, including upper and lower case letters, numbers and special characters.
   
   
9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.

 

[gertruded]

Thank you GGJstudios. I think you have helped several users today with your posts.

 

[Weaselboy]

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

I see you have updated your standard text by removing the reference to "actively installed" as I suggested. Very good.