Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Manually remove the newly found OSX/OpinionSpy spyware' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: joelbruner on Jun 03, '10 03:01:46PM
I dig a lot of digging and here's my steps:
Disconnect from the network first in case it is logging keystrokes, don't let it return that data!

sudo launchctl unload -w /Library/LaunchDaemons/PremierOpinion.plist
sudo rm /private/tmp/poinstaller
sudo rm /private/tmp/script.sh
sudo rm -rf /private/tmp/installtmp
sudo rm -rf /private/tmp/autoupgrade
sudo rm -rf /private/tmp/tapinstaller
sudo rm -rf /Applications/PremierOpinion

For more info: http://www.brunerd.com/blog/2010/06/03/tearing-apart-opinionspy/
Edited on Jun 03, '10 03:03:03PM by joelbruner


[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: joelbruner on Jun 03, '10 04:14:55PM
And to turn off Access for Assistive Devices...
sudo rm /private/var/db/.AccessibilityAPIEnabled

[ Reply to This | # ]
Manually remove the newly found OSX/OpinionSpy spyware
Authored by: Zeitkind on Jun 05, '10 04:07:02PM

And - if at all - remove trojans and such in single user mode, or better while booted from another drive/DVD, and don't use chroot! Wiping the infected installation is always the best way and most users are not really good in doing stuff with the shell.. Code signing may prevent infection of basic shell commands, but you never know, and I also suggest using /bin/rm instead of rm or using which (though which might be infected too).
I know this one is "only" some kind of a trojan, but we might see more and worse stuff in the future coming to OS X, so lightwight instructions to remove infections are not a real good idea.



[ Reply to This | # ]