About the “Flashback” – How to remove this trojan from your Mac.

Yeah, finally there is a trjoan for Mac OS X that does the job.

In few days more than 600.000 Mac have been infected by this trojan.

F-Secure has published a simple procedure to remove the trojan from your Mac, here you are the steps you have to follow:

Manual Removal Instructions


1. Run the following command in Terminal: 

# defaults read /Applications/Safari.app/Contents/Info LSEnvironment 

2. Take note of the value, DYLD_INSERT_LIBRARIES

3. Proceed to step 8 if you got the following error message:

"The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" 

4. Otherwise, run the following command in Terminal: 

grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2% 

5. Take note of the value after "__ldpath__"

6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): 

# sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment 

# sudo chmod 644 /Applications/Safari.app/Contents/Info.plist 

7. Delete the files obtained in steps 2 and 5

8. Run the following command in Terminal: 

# defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: 

"The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" 

10. Otherwise, run the following command in Terminal: 

# grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9% 

11. Take note of the value after "__ldpath__"

12. Run the following commands in Terminal: 

# defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 

# launchctl unsetenv DYLD_INSERT_LIBRARIES 

13. Finally, delete the files obtained in steps 9 and 11.

14. Run the following command in Terminal: 

# ls -lA ~/Library/LaunchAgents/ 

15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

16. Run the following command in Terminal: 

# defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments 

17. Take note of the path. If the filename does not start with a ".", then you might not be infected with this variant.

18. Delete the files obtained in steps 15 and 17.


Note:

Apple released its security update on Tuesday. If you have Java installed on your Mac — update now.


Gg1

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *