Please Help! Finder is displaying strange codes such as N80 and N201

hello, you use the link below as reference on how to fix your issue.

https://discussions.apple.com/community/mac_os/search.jspa?peopleEnabled=true&us erID=&containerType=&container=&spotlight=true&q=flashback

Read these:

Beware the Morphing Flashback Malware

Intego finds new, insidious strain of Mac Flashback Trojan horse

For the current strain of this thojan (flashback.g) look for the following files, easies done from the terminal (use the following commands):

ls -la /Users/Shared/*.so

ls -la /Users/Shared/.svcdmp

ls -la ~/.MACOSX/environment.plist

ls -la ~/Library/Logs/vmLog

The ls command will report an error if it cannot file the file(s).

If you find any of these guys delete them (also easiest done from the terminal).

Also, you will probably have to replace your safair and/or firefox browsers since this trojan may inject code into them as well.

Jay-Lee wrote:

I think I may have this Java Trojan virus

I'm afraid it's very likely you do. I can't see your pics, but the subject is enough.

If you want to be sure, open Terminal and paste this line in it

defaults read ~/.MacOSX/environment

then press Return. Copy the result and paste it here.

Thomas A Reed, a frequent contributor to this forum, has info on it here

<http://www.reedcorner.net/news.php/?p=355>

There are other threads on the topic, eg

<https://discussions.apple.com/thread/3752508>

<https://discussions.apple.com/thread/3750116>

Unfortunately, the only solution at this point is to erase your hard disk, re-install the OS and apps from the original discs, and restore your documents (but only your documents) from the backup. The reason is that, at this point, no-one knows for sure what code this malware has installed, where, and how to find it; so, removing the files listed here or there is no guarantee that all the malicious code has been removed.

Hmm, not sure what to say here under these conditions.

Tricky case is the appropriate term here.

Terminal is an app in your Utilities folder. But I am hesitant to go further on how to proceed with you due to your unfamiliarity with the system. Fane_j, do you care to chime in here on how to proceed?

Jay-Lee wrote:

what do you mean by the terminal, and how do i get to it?

Go to /Applications/Utilities/ and double-click on the Terminal application.

When the window opens copy and paste "defaults read ~/.MacOSX/environment" without the quotes and press return.

Copy the results and paste them here.

It should come up empty. You're infected.

Is there more I should do to ensure the virus is gone?

You need to follow the instructions above from fane_j to wipe and start clean.

Message was edited by: WZZZ

The environment.plist is the key file on which the rest of the torjan hangs (at least in this strain). But you posted that it references "/Users/Shared/.GameHouseHolidayExpress.so". so that file must be there too. You should trash that as well.

There may be some of the other files I mentioned earlier so look for them as well:

/Users/Shared/.svcdmp

~/Library/Logs/vmLog (in your home directory)

And if the Tidbits article is correct (see part that starts with Infection Effects) safari, firefox, and skype should be replaced.

X423424X wrote:

The environment.plist is the key file on which the rest of the torjan hangs (at least in this strain). But you posted that it references "/Users/Shared/.GameHouseHolidayExpress.so". so that file must be there too. You should trash that as well.

There may be some of the other files I mentioned earlier so look for them as well:

/Users/Shared/.svcdmp

~/Library/Logs/vmLog (in your home directory)

@Jay-Lee, There may well be one more in "~/Library/Application Support/.GameHouseHolidayExpress.so" which may or may not be causing Google redirects.

Since some of these are hidden, you will need to use some of the following in Terminal. Be sure to copy and paste them exactly as written as you could easily delete something else with a typo:

rm -rf ~/.MacOSX/environment.plist

(you already got this one)

rm -rf ~/Library/Applications Support/.GameHouseHolidayExpress.so

rm -rf ~/Library/Logs/vmlog

(you probably found this one already)

rm -rf /Users/Shared/.GameHouseHolidayExpress.so

rm -rf /Users/Shared/.svcdmp

And if the Tidbits article is correct (see part that starts with Infection Effects) safari, firefox, and skype should be replaced.

I currently agree with this as it's not that hard to do, but yesterday a user found evidence that the applications were not infected on the hard drive, only when they launched and loaded into RAM. Since we don't have confirmation from Iomega, TidBITS or anybody else yet, safest thing would be to replace them from source after removing the above.

Several (including myself) have recommended making sure you have a backup of all your data, use your install disks to reformat and install a clean system, update it with Software Update, restore all your applications from source and then recover your data files from backup. Or use a TimeMachine backup to return your hard drive to pre-infection status, if you know exactly when it happened. That's extreme and a lot of work I know, but with the lack of detail published concerning this infection, that's the only way to be certain you got everything. If after removing all traces of the Trojan and replacing the network apps you still have unexplained issues, it's probably your only choice at this time.

There may well be one more in "~/Library/Application Support/.GameHouseHolidayExpress.so" which may or may not be causing Google redirects.

~/Library/Application Support/ ?? His DYLD_INSERT_LIBRARIES was pointing at /Users/Shared. I've seen no mention of ~/Library/Application Support in any of the articles (or at least I don't recall at the moment).

In addition to what has been said, since this thing is rather pointless unless it can get back to the mothership -- they aren't just trying to prove that they can break into your computer; this is for profit -- I can't recommend Little Snitch highly enough. It will detect when an infected application or process is trying to make an outbound connection and "phone home." If you don't go the complete erase and install route from scratch, then, at least, you will know if something you haven't zapped is still hiding somewhere and trying to get out with your sensitive data or who knows what and be able to stop it.

It runs as a free demo for three hours, but can be renewed.

http://www.obdev.at/products/littlesnitch/releasenotes.html

FWIW, I am an advocate of using LS. It is one of my "must haves" for my systems. But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port. And you can't really do that since then you couldn't use the browser.

Note, I may be mixing my trojan strains up, but I seem to recall that one of these strains doesn't bother installing itself if it sees certain protections. I think the Intego stuff is one and LS may be another.