How to manually remove the Flashback Malware.

Disinfection

Manual Removal

Caution: Manual disinfection is a risky process; it is recommended only for advanced users. Otherwise, please seek professional technical assistance. F-Secure customers may also contact  Support.

Manual Removal Instructions

1. Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2. Take note of the value, DYLD_INSERT_LIBRARIES

3. Proceed to step 8 if you got the following error message:”The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist”

4. Otherwise, run the following command in Terminal: grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step2%

5. Take note of the value after “__ldpath__”

6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

7. Delete the files obtained in steps 2 and 5

8. Run the following command in Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following:

“The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist”

10. Otherwise, run the following command in Terminal:

grep -a -o ‘__ldpath__[ -~]*’ %path_obtained_in_step9%

11. Take note of the value after “__ldpath__”

12. Run the following commands in Terminal: defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES launchctl unsetenv DYLD_INSERT_LIBRARIES

13. Finally, delete the files obtained in steps 9 and 11.

14. Run the following command in Terminal: ls -lA ~/Library/LaunchAgents/

15. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.

16. Run the following command in Terminal:

defaults read ~/Library/LaunchAgents/%filename_obtained_in_step15% ProgramArguments

17. Take note of the path. If the filename does not start with a “.”, then you might not be infected with this variant.

18. Delete the files obtained in steps 15 and 17.

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to get first-hand information on ICT related issues.

Via f-secure

Advertisements

Let's know what you think

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s