New to Sophos - what is actually running?

OSX/Flshplyr-D is the new FlashBack variant -- it injects itself into Firefox and Safari, and steals private data you send through those web browsers, as well as containing the ability to download and install other malware.  If you are infected and the cleanup is not finishing in a timely manner, you will have to remove the malware manually, using Terminal.app.  Note that in most cases, SAV should be able to perform these steps safely by itself. 

If detection occurs when you've already had SAV installed and on-access scanning enabled, and you have difficulties uninstalling, try rebooting your computer, logging in as an administrator (if you only have one account, you're already doing this), and attempt to clean up again.

PLEASE DO NOT FOLLOW THE NEXT STEPS UNLESS SAV CLEANUP HAS FAILED AND YOU ARE COMFORTABLE USING THE TERMINAL

Sophos is not responsible for anything you may do to the stability of your Mac while attempting the following.  This is for informational purposes only.  If you don't understand what the instructions say when reading them now, don't follow them at all, and leave it to someone else who fully understands to perform the cleanup.

Open /Applications/Utilities/Terminal.app and paste in the following command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get the message "The domain/default pair of (<path>, DYLD_INSERT_LIBRARIES) does not exist" then there's no malware there, go on to the next step.

If you get one or more actual paths listed, copy those to somewhere, we'll need them in a moment.

Next, enter the following command:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you get a similar "does not exist" message, you likely aren't infected, and can just throw the file in the trash that the QM has detected (after temporarily disabling SAV on-access scans to unlock the file).

If you get one or more actual paths listed (every one that doesn't say "does not exist", copy them to the same place you copied the lines above (if you did).

Next, if you've got Firefox installed, enter:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Do the same thing you did above for Safari.app.

Next we'll drill down to the actual malware and remove it.  To do this, you'll need to be logged in with an Administrator account.  If you didn't set up limited user accounts on your Mac, you are likely already using an administrator account.  If you're using a limited user account, type

"su <administrator account username>" without quotes, where the bracketed bit is your actual short version of your username (no spaces).

Enter your password, and you're ready for the next step:

For each path you saved from the above commands, run the following command from the terminal, with <path> being the actual path (eg. '/Applications/Automator.app/Contents/Resources/mdworker'):

grep -a -o '__ldpath__[ -~]*' <path>

type 'sudo rm ' (note the space) on the command line, and then copy/paste the file path from the previous command.  Press return, and enter your administrator password.

Repeat the previous "grep" and "sudo rm" commands for each file path you found.

Copy/paste the following command (just in case you've installed an older variant of Flashback):

sudo rm ~/../Shared/.*.so

Next, enter the following commands:

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

If you have Firefox installed, also do the following commands:

sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist

Next, if you needed to log into your administrator account above, type 'exit' to log back out, and press return.  Do not do this if you were already logged into your administrator account.

Type the following commands:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

Next, copy/paste:

cd ~/Library/LaunchAgents/; ls|grep 'com.*.plist$'|sed 's/plist/update/'

A single file name should appear, ending with ".update". 

Enter the following command, with <file> being the name of the file:

defaults read ~/Library/LaunchAgents/<file> ProgramArguments

As above, copy the file path it returns, and then type:

rm <file path>

If you get an error, use "sudo rm" instead of "rm".  You will have to log back into your administrator account first,  if you needed to above.  If loging back in, use 'exit' to get back to the limited account you were previously in.

Next, type:

ls|grep 'com.*.plist$'

then type:

rm <file>

where <file> is the name of the file that was displayed.

Congratulations!  all traces of the Flashback malware should now be removed from your system.

REMINDER: the default cleanup SAV provides should do this for you in most circumstances.  This is to be done ONLY if for some reason the default cleanup is failing.

OSX/Flshplyr-D is the new FlashBack variant -- it injects itself into Firefox and Safari, and steals private data you send through those web browsers, as well as containing the ability to download and install other malware.  If you are infected and the cleanup is not finishing in a timely manner, you will have to remove the malware manually, using Terminal.app.  Note that in most cases, SAV should be able to perform these steps safely by itself. 

If detection occurs when you've already had SAV installed and on-access scanning enabled, and you have difficulties uninstalling, try rebooting your computer, logging in as an administrator (if you only have one account, you're already doing this), and attempt to clean up again.

PLEASE DO NOT FOLLOW THE NEXT STEPS UNLESS SAV CLEANUP HAS FAILED AND YOU ARE COMFORTABLE USING THE TERMINAL

Sophos is not responsible for anything you may do to the stability of your Mac while attempting the following.  This is for informational purposes only.  If you don't understand what the instructions say when reading them now, don't follow them at all, and leave it to someone else who fully understands to perform the cleanup.

Open /Applications/Utilities/Terminal.app and paste in the following command:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get the message "The domain/default pair of (<path>, DYLD_INSERT_LIBRARIES) does not exist" then there's no malware there, go on to the next step.

If you get one or more actual paths listed, copy those to somewhere, we'll need them in a moment.

Next, enter the following command:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you get a similar "does not exist" message, you likely aren't infected, and can just throw the file in the trash that the QM has detected (after temporarily disabling SAV on-access scans to unlock the file).

If you get one or more actual paths listed (every one that doesn't say "does not exist", copy them to the same place you copied the lines above (if you did).

Next, if you've got Firefox installed, enter:

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

Do the same thing you did above for Safari.app.

Next we'll drill down to the actual malware and remove it.  To do this, you'll need to be logged in with an Administrator account.  If you didn't set up limited user accounts on your Mac, you are likely already using an administrator account.  If you're using a limited user account, type

"su <administrator account username>" without quotes, where the bracketed bit is your actual short version of your username (no spaces).

Enter your password, and you're ready for the next step:

For each path you saved from the above commands, run the following command from the terminal, with <path> being the actual path (eg. '/Applications/Automator.app/Contents/Resources/mdworker'):

grep -a -o '__ldpath__[ -~]*' <path>

type 'sudo rm ' (note the space) on the command line, and then copy/paste the file path from the previous command.  Press return, and enter your administrator password.

Repeat the previous "grep" and "sudo rm" commands for each file path you found.

Copy/paste the following command (just in case you've installed an older variant of Flashback):

sudo rm ~/../Shared/.*.so

Next, enter the following commands:

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

If you have Firefox installed, also do the following commands:

sudo defaults delete /Applications/Firefox.app/Contents/Info LSEnvironment

sudo chmod 644 /Applications/Firefox.app/Contents/Info.plist

Next, if you needed to log into your administrator account above, type 'exit' to log back out, and press return.  Do not do this if you were already logged into your administrator account.

Type the following commands:

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

Next, copy/paste:

cd ~/Library/LaunchAgents/; ls|grep 'com.*.plist$'|sed 's/plist/update/'

A single file name should appear, ending with ".update". 

Enter the following command, with <file> being the name of the file:

defaults read ~/Library/LaunchAgents/<file> ProgramArguments

As above, copy the file path it returns, and then type:

rm <file path>

If you get an error, use "sudo rm" instead of "rm".  You will have to log back into your administrator account first,  if you needed to above.  If loging back in, use 'exit' to get back to the limited account you were previously in.

Next, type:

ls|grep 'com.*.plist$'

then type:

rm <file>

where <file> is the name of the file that was displayed.

Congratulations!  all traces of the Flashback malware should now be removed from your system.

REMINDER: the default cleanup SAV provides should do this for you in most circumstances.  This is to be done ONLY if for some reason the default cleanup is failing.