There are checks one can perform to see
1: If any of their machines have been seen on the Flashback botnet
2: Terminal commands to see if their machine is infected (use copy and paste, then press enter)
3: Preventative methods to avoid becoming infected.
Update Java via Software Update.
Check your status of all browser plug-ins
Firefox + NoScript add-on + Temp Allow All Button on Firefox's toolbar to turn on scripts only on sites you trust.
Learn how to make bootable clones, this way a complete erase can occur and a reverse clone done.
4: Resources if one is infected
Data Recovery, wiping entire machine, reinstalling OS X, returning clean files, etc.
I got rid of it by reinstalling Lion. Restart machine and hold down the option key --> select Recovery drive. Then select reinstall Lion.
It took about 1 h and it left everything else in place. But the flashback had disappeared. I then went into Safari preferences --> security, and unchecked Java.
Someone else will have to give a definitive answer on this since I don't use Lion. But, if reinstalling in Lion is anything like it is in Snow, it brings over apps and users intact. If that's so in Lion, I'm not sure I'd trust that as a way of eradicating this thing.
If it left everything in place, sounds like you may still be infected.
Did you run the various Terminal commands to see if it was still present?
I did run the virus scanner again. Everything in place...I was referring to user files, i.e. data.
There are a couple of Applescripts that help you finding out whether you are infected: http://c-mac.me/Fc21?cnn=yes
Those apple scripts are deficient. And now someone posted a applescript app on macupdate which is also deficient.
Here's what I am suggesting as a rudimentary test for (not remove) some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:
defaults read ~/.MacOSX/environment
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment
ls -la ~/Library/LaunchAgents
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"
For the three defaults commands if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.
The fourth command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep displays any results then that too may indicate infection and again post its results.
For removal, the current instructions are specified at F-Secure's Trojan-Downloader:OSX/Flashback.K.