I am only infected with the I variant so far.
Here is what I came up with for cleaning it. Using the script in my other post I populated 3 Smart Groups.
Flashback like infected
Flashback like user
Flashback like safari
I accidentally fully cleaned my one user level infected machine before finalizing the script but this should work. Unfortunately, I couldn't work out a way to unset the launchd variable when the user was not logged in.
Since I have only a few infections I plan on running by it hand but you could run it at login as a LaunchAgent or use one of the old methods tlarkin or others came up with to run Self-Service items as the current user.
#!/bin/bash
# patterned after the removal instructions on F-Secure's Flashback.I variant removal site
# www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
delete_me=()
# if the defaults command is succesful set check_file variable with result and continue (Step 8 & 9)
if check_file=$(defaults read $HOME/.MacOSX/environment DYLD_INSERT_LIBRARIES 2>/dev/null); then
# search in $check_file for files (Step 10 & 11)
while read -r; do
delete_me+=("$REPLY")
done < <(grep -a -o '__ldpath__[ -~]*' "${check_file}" | uniq)
# get rid of entry (Step 12a)
defaults delete $HOME/.MacOSX/environment DYLD_INSERT_LIBRARIES
# unset launchd environment variable (Step 12b)
launchctl unsetenv DYLD_INSERT_LIBRARIES
# delete first file obtained from Step 9 (Step 13a)
rm "${check_file}"
# delete files obtained in Step 11 (Step 13b)
for file in "${delete_me[@]}"; do
rm "${file##*_}"
done
else
echo "This user is not infected"
fi
