About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve


More cautions and cures.

Get It

Try It

The following 1892 byte download will rid your system of both the iWorksServices trojan and the DivX trojan without your having to fumble with Terminal and the command line.

It uses CLIX which is freely available here. Further documentation is available here and in hundreds of places on this site.

The CLIX download is less than 140 KB; all you have to do is take it, open it, open iTrojan.clix, and run the commands. No typing at all - just a bunch of clicks.

Eight Commands

iTrojan.clix currently has but eight commands. Only two of these are needed to remove the trojans. The other six commands provide further information. This file replaces the earlier iWorkServices.clix (which is still available).

This file will be augmented over time so bookmark this page and the download URL.

Netstat AF_INET Show current Internet connections /usr/sbin/netstat -finet
Remove DivX Remove the DivX trojan. /usr/bin/sudo /usr/bin/killall -9 DivX; /usr/bin/sudo /bin/rm -fr /System/Library/StartupItems/DivX /usr/bin/DivX /var/root/.DivX
Remove iWorkServices Remove the iWorkServices trojan. /usr/bin/sudo /usr/bin/killall -9 iWorkServices; /usr/bin/sudo /bin/rm -fr /Library/Receipts/iWorkServices.pkg /private/tmp/.iWorkServices /System/Library/StartupItems/iWorkServices /usr/bin/iWorkServices
Show /tmp Show contents of /private/tmp. /bin/echo /private/tmp; /bin/echo ------------; /bin/ls -a /private/tmp
Show /var/root Show contents of /private/var/root. /bin/echo /private/var/root; /bin/echo -----------------; sudo /bin/ls -a /private/var/root
Show /var/tmp Show contents of /private/var/tmp. /bin/echo /private/var/tmp; /bin/echo ----------------; /bin/ls -a /private/var/tmp
Show Input Managers Show all input managers on system. /bin/echo /Library/InputManagers; /bin/echo ----------------------; /bin/ls -a /Library/InputManagers; /bin/echo; /bin/echo /System/Library/InputManagers; /bin/echo -----------------------------; /bin/ls -a /System/Library/InputManagers; /bin/echo; /bin/echo '~/Library/InputManagers'; /bin/echo -----------------------; /bin/ls -a ~/Library/InputManagers
Show Startup Items Show all startup items on system. /bin/echo /Library/StartupItems; /bin/echo ---------------------; /bin/ls -a /Library/StartupItems; /bin/echo; /bin/echo /System/Library/StartupItems; /bin/echo ----------------------------; /bin/ls -a /System/Library/StartupItems; /bin/echo; /bin/echo '~/Library/StartupItems'; /bin/echo ----------------------; /bin/ls -a ~/Library/StartupItems


  • The MacRumors method using sudo su is ill advised. It's dangerous.
  • All commands should use full paths in case the trojan's hijacked $PATH.
  • The DivX trojan will replicate itself in /var/tmp using a randomised name.
  • This file should not be automatically activated but you should remove it anyway.
  • Use 'Show /var/tmp' to identify it and then create a new CLIX command to remove it.
  • Running the commands with CLIX and not with Terminal ensures only the kernel-approved $PATH will be used.
  • The 'Netstat AF_INET' command will show if a trojan is engaged in any Internet activity.
  • The order of the commands in 'Remove DivX' and 'Remove iWorkServices' may be important. More sophisticated trojans (such as the DivX trojan) can detect if their disk images have been removed and in such case replicate them again. Thus it's best to kill the trojan process first. And run the commands repeatedly if you wish.
  • The input managers and startup items directories may not all exist on your system. There's nothing wrong with that. You're looking for newcomers that don't belong. Consider enhancing the ls command to include time stamps.
  • Always track programs you've never run before. See what they get up to - for better or worse. There's no reason to suspect malfeasance where stupidity works as well or better but there's no excuse for not being cautious either.


About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.