Skip navigation

HT5048: About the OS X Lion v10.7.3 Update

Learn about About the OS X Lion v10.7.3 Update

HT5048 recent apple virus

4314 Views 8 Replies Latest reply: May 8, 2013 7:07 AM by thomas_r. RSS
bynermack2 Calculating status...
Currently Being Moderated
Apr 9, 2012 2:36 PM

How to check if my Mac has been infected with the recent flashback virus?  I already downloaded the software update.............

Mac OS X (10.7.3)
  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    Apr 9, 2012 2:43 PM (in response to bynermack2)

    Here: http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/?tag=txt;title

     

    In essence, open the Terminal utility (in the /Applications/Utilities/ folder) and run the following commands (copy one line at a time, followed by press Enter in the Terminal after it is pasted):

     

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES


    defaults read /Applications/Safari.app/Contents/Info LSEnvironment


    defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

     

    ls -la ~/../Shared/.*.so

     

    ls -la ~/../Shared/.*.dyld

     

    ls -la ~/Library/LaunchAgents

     

    When finished, press Command-A to select all the contents of the Terminal and paste it to a message on this board, and we will let you know if your system has any suspect files that are associated with the malware, and how to proceed from there.

     

    Alternatively, you can download Sophos Home Edition (http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx) or ClamXav (http://www.clamxav.com), update their definitions, and then scan your system to find known variants of the malware.

  • imac2308 Calculating status...
    Currently Being Moderated
    Apr 21, 2012 11:17 AM (in response to Topher Kessler)

    Thank you for this advice. Probably no issues, but followed your instructions and sent you this. Can you help?:

     

    Last login: Sat Apr 21 19:11:17 on ttys000

    Andrew-Panayis-iMac:~ andrewpanayi$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    2012-04-21 19:12:39.785 defaults[5103:903]

    The domain/default pair of (/Users/andrewpanayi/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

    Andrew-Panayis-iMac:~ andrewpanayi$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    2012-04-21 19:12:53.478 defaults[5104:903]

    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

    Andrew-Panayis-iMac:~ andrewpanayi$

    Andrew-Panayis-iMac:~ andrewpanayi$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    2012-04-21 19:13:23.076 defaults[5105:903]

    The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

    Andrew-Panayis-iMac:~ andrewpanayi$ ls -la ~/../Shared/.*.so

    ls: /Users/andrewpanayi/../Shared/.*.so: No such file or directory

    Andrew-Panayis-iMac:~ andrewpanayi$

    Andrew-Panayis-iMac:~ andrewpanayi$ ls -la ~/../Shared/.*.dyld

    ls: /Users/andrewpanayi/../Shared/.*.dyld: No such file or directory

    Andrew-Panayis-iMac:~ andrewpanayi$ ls -la ~/Library/LaunchAgents

    total 40

    drwxr-xr-x   7 andrewpanayi  staff   238 16 Sep  2011 .

    drwx------+ 41 andrewpanayi  staff  1394 29 Jan 14:26 ..

    -rw-r--r--   1 andrewpanayi  staff   463 15 Oct  2010 com.apple.FTMonitor.plist

    -rw-r--r--   1 andrewpanayi  staff   552 20 Oct  2010 com.apple.apsd-ft.plist

    -rw-r--r--   1 andrewpanayi  staff   411 13 Oct  2010 com.apple.imagent.plist

    -rw-r--r--   1 andrewpanayi  staff   447 13 Oct  2010 com.apple.marcoagent.plist

    -rw-r--r--   1 andrewpanayi  staff   809 16 Sep  2011 com.google.keystone.agent.plist

    Andrew-Panayis-iMac:~ andrewpanayi$

  • yellowbeezus Calculating status...
    Currently Being Moderated
    Jul 7, 2012 11:10 AM (in response to bynermack2)

    Hi, I'm almost positive I have a virus on my macbook that is not allowing any of my browsers to connect to the internet. I know this because I tried to diagnose it on the network side by speaking with my internet provider, and after trying several things, they concluded that it's some setting that's in my browser. My airport shows that I'm connected to wifi, but when I get onto Google Chrome, the page shows up as "Unable to connect to the Internet" Error 106. I followed the instructions above to see if I have the flashback virus, and below is what I got. Can you please help?

     

    Last login: Fri Jun 22 11:28:09 on console

    Isabela-Samrenys-MacBook:~ yellowbeezus$

    Isabela-Samrenys-MacBook:~ yellowbeezus$ defaults read~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    Command line interface to a user's defaults.

    Syntax:

     

     

    'defaults' [-currentHost | -host <hostname>] followed by one of the following:

     

     

      read                                 shows all defaults

      read <domain>                        shows defaults for given domain

      read <domain> <key>                  shows defaults for given domain, key

     

     

      read-type <domain> <key>             shows the type for the given domain, key

     

     

      write <domain> <domain_rep>          writes domain (overwrites existing)

      write <domain> <key> <value>         writes key for domain

     

     

      rename <domain> <old_key> <new_key>  renames old_key to new_key

     

     

      delete <domain>                      deletes domain

      delete <domain> <key>                deletes key in domain

     

     

      domains                              lists all domains

      find <word>                          lists all entries containing word

      help                                 print this help

     

     

    <domain> is ( <domain_name> | -app <application_name> | -globalDomain )

             or a path to a file omitting the '.plist' extension

     

     

    <value> is one of:

      <value_rep>

      -string <string_value>

      -data <hex_digits>

      -int[eger] <integer_value>

      -float  <floating-point_value>

      -bool[ean] (true | false | yes | no)

      -date <date_rep>

      -array <value1> <value2> ...

      -array-add <value1> <value2> ...

      -dict <key1> <value1> <key2> <value2> ...

      -dict-add <key1> <value1> ...

    Isabela-Samrenys-MacBook:~ yellowbeezus$ defaults read/Applications/Safari.app/Contents/Info LSEnvironment

    Command line interface to a user's defaults.

    Syntax:

     

     

    'defaults' [-currentHost | -host <hostname>] followed by one of the following:

     

     

      read                                 shows all defaults

      read <domain>                        shows defaults for given domain

      read <domain> <key>                  shows defaults for given domain, key

     

     

      read-type <domain> <key>             shows the type for the given domain, key

     

     

      write <domain> <domain_rep>          writes domain (overwrites existing)

      write <domain> <key> <value>         writes key for domain

     

     

      rename <domain> <old_key> <new_key>  renames old_key to new_key

     

     

      delete <domain>                      deletes domain

      delete <domain> <key>                deletes key in domain

     

     

      domains                              lists all domains

      find <word>                          lists all entries containing word

      help                                 print this help

     

     

    <domain> is ( <domain_name> | -app <application_name> | -globalDomain )

             or a path to a file omitting the '.plist' extension

     

     

    <value> is one of:

      <value_rep>

      -string <string_value>

      -data <hex_digits>

      -int[eger] <integer_value>

      -float  <floating-point_value>

      -bool[ean] (true | false | yes | no)

      -date <date_rep>

      -array <value1> <value2> ...

      -array-add <value1> <value2> ...

      -dict <key1> <value1> <key2> <value2> ...

      -dict-add <key1> <value1> ...

    Isabela-Samrenys-MacBook:~ yellowbeezus$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    2012-07-07 13:46:22.253 defaults[15676:903]

    The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

    Isabela-Samrenys-MacBook:~ yellowbeezus$ ls -la ~/..Shared/.*.so

    ls: /Users/yellowbeezus/..Shared/.*.so: No such file or directory

    Isabela-Samrenys-MacBook:~ yellowbeezus$ ls -la~/../Shared/.*.dyld

    ls: illegal option -- ~

    usage: ls [-ABCFGHLOPRSTUWabcdefghiklmnopqrstuwx1] [file ...]

    Isabela-Samrenys-MacBook:~ yellowbeezus$ ls -la~/Library/LaunchAgents

    ls: illegal option -- ~

    usage: ls [-ABCFGHLOPRSTUWabcdefghiklmnopqrstuwx1] [file ...]

    Isabela-Samrenys-MacBook:~ yellowbeezus$

  • macjack Level 9 Level 9 (50,445 points)
    Currently Being Moderated
    Jul 7, 2012 11:38 AM (in response to bynermack2)

    If your Mac was infected you would have gotten a message it was removed. No news is good news.

    There NO viruses that attack Macs and fairly little malware.

     

    "Mac OS X versions 10.6.7 and later have built-in detection of known Mac malware in downloaded files. The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders. In most cases, there’s no benefit from any other automated protection against malware."

  • thomas_r. Level 7 Level 7 (26,930 points)
    Currently Being Moderated
    Jul 7, 2012 11:51 AM (in response to yellowbeezus)

    Those tests are difficult for a novice to use properly.  In fact, you've mis-typed several of them, is most of your results are meaningless.

     

    Just run Software Update if you haven't already.  And for more information about Flashback, see:

     

    http://www.reedcorner.net/about-the-flashback-malware/

     

    The symptoms you describe are not typical of Flashback anyway.  I'd advise you to post your own topic with a clear description of the symptoms for assistance with fixing the problem.

  • etresoft Level 7 Level 7 (23,880 points)
    Currently Being Moderated
    Jul 7, 2012 12:43 PM (in response to yellowbeezus)

    It is much more likely that your Mac is not fully connected to your router. Run System Preferences > Network and see what the status is under WiFi.

  • praejones Calculating status...
    Currently Being Moderated
    May 8, 2013 6:51 AM (in response to bynermack2)

    Last login: Wed Mar 13 13:51:47 on ttys000

    new-host:~ Phyllis$

    Last login: Wed May  8 07:37:48 on console

    new-host:~ Phyllis$

    new-host:~ Phyllis$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    2013-05-08 09:48:34.267 defaults[315:707]

    The domain/default pair of (/Users/Phyllis/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

    new-host:~ Phyllis$

    new-host:~ Phyllis$ defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    2013-05-08 09:49:01.716 defaults[316:707]

    The domain/default pair of (/Users/Phyllis/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

    new-host:~ Phyllis$

    new-host:~ Phyllis$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    2013-05-08 09:49:21.180 defaults[317:707]

    The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

    new-host:~ Phyllis$ defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    2013-05-08 09:49:37.794 defaults[318:707]

    The domain/default pair of (/Applications/Firefox.app/Contents/Info, LSEnvironment) does not exist

    new-host:~ Phyllis$ ls -la ~/../Shared/.*.so

    ls: /Users/Phyllis/../Shared/.*.so: No such file or directory

    new-host:~ Phyllis$ ls -la ~/../Shared/.*.dyld

    ls: /Users/Phyllis/../Shared/.*.dyld: No such file or directory

    new-host:~ Phyllis$ ls -la ~/Library/LaunchAgents

    total 32

    drwx------   6 Phyllis  staff   204 Jul 20  2012 .

    drwx------@ 47 Phyllis  staff  1598 Dec 20 17:05 ..

    -rw-r--r--   1 Phyllis  staff   618 Oct 22  2011 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.4006AA38-FF2B-4DD3-A357-64 A44C4BA9C8.plist

    -rw-------   1 Phyllis  staff   814 Jul 18  2009 com.apple.SafariBookmarksSyncer.plist

    -rw-r--r--   1 Phyllis  staff   804 Jul 20  2012 com.google.keystone.agent.plist

    -rw-r--r--   1 Phyllis  staff   541 Mar 23  2011 com.zeobit.MacKeeper.Helper

    new-host:~ Phyllis$

  • thomas_r. Level 7 Level 7 (26,930 points)
    Currently Being Moderated
    May 8, 2013 7:07 AM (in response to praejones)

    You're going to need to post a question on a new topic. This one is a year only, and the malware we were discussing at that time is gone.

     

    What you need to do is start a new question of your own, then describe in words what the problem is. Do not make the assumption that your problem is caused by malware (it probably isn't)... Just describe the symptoms and let the experts here propose solutions.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.