About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

iWorksServices.clix

Cautions and cures.


Buy It

Try It

The following 1364 byte download will rid your system of the iWorksServices trojan without your having to fumble with Terminal and the command line.

It uses CLIX which is freely available here. Further documentation is available here and in hundreds of places on this site.

The CLIX download is less than 200 KB; all you have to do is take it, open it, open iWorksServices.clix, and run the commands. No typing at all - just a bunch of clicks.

Five Commands

iWorksServices.clix currently has but five commands. Only one of these is needed to remove the trojan. The other four commands provide further information.

This file will be augmented over time so bookmark this page and the download URL.

Netstat AF_INET Show current Internet connections /usr/sbin/netstat -finet
Remove iWorkServices Remove the iWorkServices trojan. /usr/bin/sudo /usr/bin/killall -9 iWorkServices; /usr/bin/sudo /bin/rm -fr /Library/Receipts/iWorkServices.pkg /private/tmp/.iWorkServices /System/Library/StartupItems/iWorkServices /usr/bin/iWorkServices
Show /tmp Show contents of /private/tmp. /bin/echo /private/tmp; /bin/echo ------------; /bin/ls -a /private/tmp
Show Input Managers Show all input managers on system. /bin/echo /Library/InputManagers; /bin/echo ----------------------; /bin/ls -a /Library/InputManagers; /bin/echo; /bin/echo /System/Library/InputManagers; /bin/echo -----------------------------; /bin/ls -a /System/Library/InputManagers; /bin/echo; /bin/echo ~/Library/InputManagers; /bin/echo -----------------------; /bin/ls -a ~/Library/InputManagers
Show Startup Items Show all startup items on system. /bin/echo /Library/StartupItems; /bin/echo ---------------------; /bin/ls -a /Library/StartupItems; /bin/echo; /bin/echo /System/Library/StartupItems; /bin/echo ----------------------------; /bin/ls -a /System/Library/StartupItems; /bin/echo; /bin/echo ~/Library/StartupItems; /bin/echo ----------------------; /bin/ls -a ~/Library/StartupItems

Comments

  • The MacRumors method using sudo su is ill advised. It is dangerous.
  • All commands should use full paths in case the trojan's hijacked $PATH.
  • Running the commands with CLIX and not with Terminal ensures only the kernel-approved $PATH will be used.
  • The 'Netstat AF_INET' command will show if a trojan is engaged in any Internet activity.
  • The order of the commands in 'Remove iWorkServices' may be important. More sophisticated trojans can detect if their disk images have been removed and in such case replicate them again. Therefore it's best to kill the trojan process first.
  • The input managers and startup items directories may not all exist on your system. There's nothing wrong with that. You're looking for newcomers that don't belong. Consider enhancing the ls command to include time stamps.
  • Always track programs you've never run before. See what they get up to - for better or worse. There's no reason to suspect malfeasance where stupidity works as well or better but there's no excuse for not being cautious either.

Download

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.