richieberetta wrote:
I did install flash update a while ago but that was when I was prompted while on youtube.com - I can't recall if that was when I started seeing strange characters in my finder menu when I would right click a file - I only took notice of it a couple of days ago. (sidenote: that would be the only time I'd see the characters - it substituted the "Open With" one other menu option I can't recal - only when right clickingl. Also, I never experienced any fake google redirects or crashes - but I don't use Safari as my main browser.)
According to Intego there have been over two dozen variants of Flashback since it was deployed last year, so identifying what version you might have had is difficult.
If it was one of the FlashPlayer versions, then I think it would have had to have been before mid-February when Flashback started using Java to infect, rather than trying to convince you that you need an update. I don't recall YouTube being involved with those, but anything is possible. Up until recently YouTube was almost exclusively Flash, so it would not be a surprise if it gave you a legitimate need to upgrade.
But you are right that the FlashPlayer developers seemed to have solved the strange character problem at some point, I just don't remember if that was before or after they started using Java.
Some variants infected Firefox and Chrome as well as Safari.
After reading this whole thread last night I did the search using terminal and Go to Folder as I described in my previous post without finding any trace of the Trojan. After writing the post I did a system update I am now running 10.6.8. and all my software is current. The strange characters don't show up anymore and I ran that F-Secure script just now and it said that there was no malware found.
If there was Flashback malware present on your hard drive, the last Java Update you ran after updating to 10.6.8 would have removed components of "the most common" variants, according to Apple. It would have informed you if it did, but not if it did not find anything. Did you see any such notification? If not then either it wasn't there to start with or the Apple MRT wasn't targeted against your variant. Impossible to know which.
The F-Secure script is targetted against the last couple of variants, which do share some but not all of the components of earlier versions, so I'm not certain that completely answers the question, either.
It seems as if the problem is sorted but if possible I would like your expert opinion as to if I'm really safe or not. I have changed all my pw's and erased Firefox and Chrome and re-installed them.
I'd say your chances are really good. If I had the time I would have catalogued all the various combinations we've seen so that I could tell you everywhere you need to look, but I haven't done that. The F-Secure site has the most detailed information on all the variants they considered important. Intego has a wealth of information, as well, but are not nearly as forthcoming on how to remove it.