Finder shows strange letter and number strings, programs "quit unexpectedly"

richieberetta wrote:

I did install flash update a while ago but that was when I was prompted while on youtube.com - I can't recall if that was when I started seeing strange characters in my finder menu when I would right click a file - I only took notice of it a couple of days ago. (sidenote: that would be the only time I'd see the characters - it substituted the "Open With" one other menu option I can't recal - only when right clickingl. Also, I never experienced any fake google redirects or crashes - but I don't use Safari as my main browser.)

According to Intego there have been over two dozen variants of Flashback since it was deployed last year, so identifying what version you might have had is difficult.

If it was one of the FlashPlayer versions, then I think it would have had to have been before mid-February when Flashback started using Java to infect, rather than trying to convince you that you need an update. I don't recall YouTube being involved with those, but anything is possible. Up until recently YouTube was almost exclusively Flash, so it would not be a surprise if it gave you a legitimate need to upgrade.

But you are right that the FlashPlayer developers seemed to have solved the strange character problem at some point, I just don't remember if that was before or after they started using Java.

Some variants infected Firefox and Chrome as well as Safari.

After reading this whole thread last night I did the search using terminal and Go to Folder as I described in my previous post without finding any trace of the Trojan. After writing the post I did a system update I am now running 10.6.8. and all my software is current. The strange characters don't show up anymore and I ran that F-Secure script just now and it said that there was no malware found.

If there was Flashback malware present on your hard drive, the last Java Update you ran after updating to 10.6.8 would have removed components of "the most common" variants, according to Apple. It would have informed you if it did, but not if it did not find anything. Did you see any such notification? If not then either it wasn't there to start with or the Apple MRT wasn't targeted against your variant. Impossible to know which.

The F-Secure script is targetted against the last couple of variants, which do share some but not all of the components of earlier versions, so I'm not certain that completely answers the question, either.

It seems as if the problem is sorted but if possible I would like your expert opinion as to if I'm really safe or not. I have changed all my pw's and erased Firefox and Chrome and re-installed them.

I'd say your chances are really good. If I had the time I would have catalogued all the various combinations we've seen so that I could tell you everywhere you need to look, but I haven't done that. The F-Secure site has the most detailed information on all the variants they considered important. Intego has a wealth of information, as well, but are not nearly as forthcoming on how to remove it.

MadMacs0,

I need some help. I tried to read through and understand so I wouldn't have to ask more questions to you but i got pretty confused. Im running on 10.6.8 and my finder titles have changed to weird things such as SD5, SD8, and SD7. as well as my trash to N39. My skype will never work and my safari sometimes turns off as well as directs me to a different site whenever i click something for example off google. I did do the thing in terminal where you search for the enviro thing and mine came back with...

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.XARAWebstylev.so"

Now I have no idea what to do from here. please help me!

HelpHelpHelpPlease wrote:

MadMacs0,

I need some help. I tried to read through and understand so I wouldn't have to ask more questions to you but i got pretty confused. Im running on 10.6.8 and my finder titles have changed to weird things such as SD5, SD8, and SD7. as well as my trash to N39. My skype will never work and my safari sometimes turns off as well as directs me to a different site whenever i click something for example off google. I did do the thing in terminal where you search for the enviro thing and mine came back with...

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.XARAWebstylev.so"

Now I have no idea what to do from here. please help me!

You are infected by some variant of the Flashback malware. Run Software Update and install everything there, starting with Java for Mac OS X 10.6 Update 8. Keep running Software Update until it tells you that there are no more updates. If that doesn't fix it, come back and we'll try some other options.

ran that and it said it detected and removed my malware! skype and all my finder labels are back to normal! thanks a ton, i thought i was in for a lot worse.

wahhooo!!!

HelpHelpHelpPlease wrote:

ran that and it said it detected and removed my malware! skype and all my finder labels are back to normal! thanks a ton, i thought i was in for a lot worse.

Still a few things to do.

Open your System Preferences->Software Update and make sure you check daily for updates. Then be sure to install them in a timely manner when notified, especially the security related ones.

Turn Java (not JavaScript which is an entirely different thing) off in your browsers so that the next flaw to be exploited won't bite you. How To Disable Java in your Mac Web Browser

Watch all the financial accounts of sites you visited while infected to make sure the malware didn't harvest privacy information and consider changing passwords for those sites along with any identical passwords you use on other sites.