Trouble Removing Flashback

Discussion in 'macOS' started by MVallee, Apr 5, 2012.

  1. MVallee macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #1
    So I think i have the Flashback trojan. All week safari has been crashing because of the ".advancedwindowsmail.png" plug in. When I heard about the flashback virus I followed the instructions on f-secure and instead of getting a "does not exist" I got a path that lead to ".advancedwindowsmail.png".

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
    I followed all the instructions listed in the above link to the best of my ability (not that proficient in terminal) and ended up where it did say "does not exist" which according to f-secure means "Your system is already clean of this variant".

    About 10 minutes later Safari crashed because of the same plug-in which was supposed to be removed. I don't know what I did wrong. The only step I couldn't understand was "7. Delete the files obtained in steps 2 and 5". It doesn't say how to delete those files or where they are. I followed the path into safari.app/content/resources and it wasn't there. Did I do something wrong? Do I possibly have another variant as well?

    Please help! :(

    Edit: BTW, I'm running the latest version of Snow Leopard and have already installed the Java patch.
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    To easily check for the presence of the Flashback trojan, read this. If it's not there, you don't have the Flashback trojan.
     
  3. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #3
    Ran the terminal commands and came up empty.

    Searched the Info.plist and also came up empty

    Then I checked for DYLD_INSERT_LIBRARIES and found a folder called ".MacOSX"

    What do I do now?
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    Did you look in the folder for DYLD_INSERT_LIBRARIES? And are you certain it was ".MacOSX" and not "MacOSX"?
     
  5. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #5
    Inside the folder is just one file named "environment.plist" and yes its definitely .MacOSX
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    For detailed removal instructions, read this.
     
  7. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #7
    I already did follow those instructions. I posted the same link in my first post. I tried going through the steps again and it keeps saying "does not exist" but obviously if the folder is there and Safari still quits, it must be there somewhere.

    Like I said before, the only step I could not understand was "7. Delete the files obtained in steps 2 and 5". It doesn't give any more details on that. I don't know where the files are that I'm supposed to delete.
     
  8. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #8
    Did you find either of these? Steps 1 and 4 tell you exactly where to look for those. If it says they don't exist and you've entered the Terminal commands properly, then why would you think they're there?
     
  9. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #9
    I don't think you are understanding me. I ran both those commands and found files for both of them. I followed the rest of the steps from f-secure except for "Delete the files obtained in steps 2 and 5" because I didn't understand what that meant. When running the commands a second time it says "not found" so I assumed it was gone, until safari crashed because of the same file.

    Now, I just did the whole "file visibility" thing because I figured that maybe the reason I couldn't find the files from step 2 & 5 was because they were invisible and sure enough, I found both of them so I deleted them like f-secure said to do. Well doing that crashed Safari and now It won't open again. I'm using Firefox for the time being.

    It just keeps says "safari can't open because of a problem"

    These are the problem details it shows.
     
  10. gertruded macrumors regular

    Joined:
    Jul 5, 2007
    Location:
    Northwestern Illinois
    #10
    I am with you mvallee. I don't understand how to delete the files or even what to call the files. Or how to type in a delete to get the files deleted.

    The responders are assuming we know more about the terminal commands than we do. All the instructions say is to "note" something.
     
  11. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #11
    1. Right-click Safari.app
    2. Show Package Contents
    3. Enter adv in the search bar
    4. Click the + under the search
    5. Select File visibility > Visible or invisible
    6. Check for a file called .AdvancedWindowsMail.xsl
    7. If it's there, delete it.
    8. Enter your admin password if prompted for it.
    9. Save changes to Safari.app if you deleted that file
    ScreenCap 1.PNG
     
  12. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #12
    Exactly. I copied the paths to a TextEdit file and then when it said to delete them I followed the paths and there were no files to delete so I moved to the next step. When I figured out the files were invisible I found them and deleted them like it said to do and that messed thing up even more, so I wouldn't recommend doing that. I just re downloaded Safari and am re-installing it as we speak so hopefully that fixes things.

    ----------

    I did that and then that's what made safari quit and now it won't open at all.

    ----------

    Ok so reinstalling Safari worked and thats back up and running. I don't know if its going to crash again or if I still have the trojan somewhere on my system. The .MacOSX folder is still there.
     
  13. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #13
    Is there anything in that folder? Remember to include invisible files when you search. If it's empty, just delete the .MacOSX folder. Also, is the .AdvancedWindowsMail.xsl file in the newly-installed Safari.app?
     
  14. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
    #14
    In the .MacOSX there is just a file called "environment.plist". I checked for the invisible files and thats the only thing that shows up.

    I searched the new Safari.app and can't find the ".AdvancedWindowsMail.xsl" file.

    Should I delete the folder and the environment.plist file?
     
  15. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #15
    Definitely.
     
  16. MVallee thread starter macrumors 6502a

    MVallee

    Joined:
    Feb 8, 2007
    Location:
    Ontario, Canada
  17. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #17
    You're very welcome! For future reference:

    Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.
    1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

    2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

    3. Uncheck "Enable Java" in Safari > Preferences > Security. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

    4. Check your DNS settings by reading this.

    5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

    6. Never let someone else have access to install anything on your Mac.

    7. Don't open files that you receive from unknown or untrusted sources.

    8. Make sure all network, email, financial and other important passwords are complex, including upper and lower case letters, numbers and special characters.

    9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
    That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.
     
  18. gertruded macrumors regular

    Joined:
    Jul 5, 2007
    Location:
    Northwestern Illinois
    #18
    Thank you GGJstudios. I think you have helped several users today with your posts.
     
  19. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #19
    I see you have updated your standard text by removing the reference to "actively installed" as I suggested. Very good.
     

Share This Page