how to manually remove "exploit.pdf-js.gen", how to manually remove "exploit.pdf-js.gen"

Get rid of BitDefender.

Install and scan your Mac with MacScan and/or ClamXav, as mentioned here:

User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy:

https://discussions.apple.com/docs/DOC-2435

The User Tip (which you are welcome to print out and retain for future reference) seeks to offer some guidance on the main security threats and how to avoid them.

Bear in mind that from April to December 2011 there were only 58 attempted security threats to the Mac - a mere fraction compared to Windows malware:

http://www.f-secure.com/weblog/archives/00002300.html

(I have ClamXav set to scan incoming emails, but nothing else.)

Hello:

I am not trying to be funny, but you should get rid of the anti-virus software (uninstall it). There are NO viruses that affect a Mac running OS X - NONE. A/V software, at a minimum, wastes resources. In many cases, those packages do real harm.

I have no clue what the items are that the package "identified," but they will not harm a Mac.

Barry

The knee-jerk reaction from Mr. Hemphill that there are no Mac viruses (yes, there are no Mac viruses, but viruses are not to be confused with malware, which Macs do get) and AV is never needed on a Mac will not suffice.

According to Microsoft Malware Protection, this is real malware that came via infected pdfs, which exploited a vulnerability in earlier versions of Adobe Reader. It is, apparently, cross-platform, Mac/Windows. How effective or infectious it actually is on a Mac I also don't know. It may be cross platform, but do nothing on a Mac, but I'd still get rid of it.

And I don't know if it could still be active on your system. But you should remove those files.

You'll see that different AV programs have given it different names.

The vulnerability affects Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exp loit%3AWin32%2FPdfjsc.JU

I'm not seeing anything like it for pdf in the ClamX catalog. Whether this means that ClamX omitted it, it's listed under some name without pdf, or they don't think it will run on a Mac, I don't know.

daily.cvd not-OSX.Tored

daily.cvd OSX.Flashback-1

daily.cvd OSX.Flashback-3

daily.cvd OSX.Flashback-2

daily.cvd OSX.Flashback-4

daily.cvd Trojan.OSX.Miner

daily.cvd OSX.Defma

daily.cvd MacOSX.Revir-1

daily.cvd OSX.BlackHol

daily.cvd OSX.BlackHol-1

daily.cvd MacOSX.iMuler-1

daily.cvd Trojan.OSX.FlashBack.A

daily.cvd OSX.DevilRobber

daily.cvd OSX.Flashback-5

daily.cvd Trojan.OSX.Imuler

daily.cvd Trojan.OSX.Generic

main.cvd OSX.RSPlug

main.cvd Trojan.OSX.iservices.A

main.cvd Trojan.OSX.iservices.B

main.cvd OSX.DNSChanger.dmg

main.cvd OSX.DNSChanger.dmg-1

main.cvd Trojan.OSX.RSPlug.F.dmg

main.cvd Trojan.OSX.RSPlug.F.dmg-1

main.cvd Trojan.OSX.RSPlug.F.dmg-2

main.cvd Trojan.OSX.RSPlug.F.dmg-3

main.cvd Trojan.OSX.RSPlug.F.dmg-4

main.cvd Trojan.OSX.RSPlug.F.dmg-5

main.cvd Trojan.OSX.RSPlug.G.dmg

main.cvd Trojan.OSX.RSPlug.G

main.cvd Exploit.OSX.Safari

main.cvd Trojan.OSX.Cowhand

main.cvd Backdoor.OSX.BlackHole

main.cvd Trojan.Downloader.OSX

main.cvd OSX.Flashback

main.cvd Trojan.Downloader.OSX-1

main.cvd OSX.DNSChanger

main.cvd OSX.Trojan-2

main.cvd Trojan.OSX.Opener

main.cvd Trojan.OSX.RSPlug.C

main.cvd Trojan.OSX.RSPlug.D

main.cvd OSX.Tored

main.cvd OSX.RSPlug-2

main.cvd Trojan.OSX.OpinionSpy.B

main.cvd Trojan.OSX.OpinionSpy.A

main.cvd Trojan.OSX.MacDefender

main.cvd Trojan.OSX.MacDefender.B

main.cvd Trojan.OSX.MacDefender.C

main.cvd OSX.Defma-1

main.cvd OSX.Defma-2

main.cvd Trojan.OSX.MacBack

main.cvd Trojan-Downloader.OSX.Fav.A

main.cvd Trojan-Downloader.OSX.Fav.B

charsiufaan wrote:

I just installed BitDefender Anti-virus and did a system scan. The results turned out that I have a number of threats found on my backup volume (external drive for time machine to back up on).

In general terms, it's never a good idea to be using A-V software to scan your TimeMachine volume. There is nothing there that can harm you unless you restore from it and you can easily render it useless by moving any files around either with the software or the Finder. Best to ignore it and make sure you scan your hard drive immediately after a restoration. Eventually any old malware will be removed on it's own.

It's best to clean up your TM backup at the time you find malware on your HD, but if you insist on cleaning it, the only way to not corrupt it is to start with the window on your hard drive where the malware was originally, enter time machine, go back in time until you find an instance of the file, highlight it and use the Action menu (gear) to "Delete All Backups of '<filename>'."

WZZZ wrote:

According to Microsoft Malware Protection, this is real malware that came via infected pdfs, which exploited a vulnerability in earlier versions of Adobe Reader. It is, apparently, cross-platform, Mac/Windows. How effective or infectious it actually is on a Mac I also don't know. It may be cross platform, but do nothing on a Mac, but I'd still get rid of it.

And I don't know if it could still be active on your system. But you should remove those files.

You'll see that different AV programs have given it different names.

The vulnerability affects Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exp loit%3AWin32%2FPdfjsc.JU

I'm not seeing anything like it for pdf in the ClamX catalog. Whether this means that ClamX omitted it, it's listed under some name without pdf, or they don't think it will run on a Mac, I don't know.

Only Mac OS X unique names have "OSX" in them. Cross platform names such as this PDF JavaScript malware would not be so labeled. A quick search reveals that ClamXav may call this one "Exploit.Pdfka-26" but it's impossible to be certain.

It is certainly understandable that a JavaScript would be able to exploit a vulnerability in an Application such as Adobe Reader on multiple platforms, but to then do harm to the OS on both platforms would be difficult. Within the last week I have read of a Trojan that is capable of using a Java vulnerability and knowing what platform it is on (Windows or Mac) installing the appropriate malware, so that will become an increasingly probable situation.

There have been no reports of this particular exploit targeting OS X, but as malware becomes more refined, users will be less likely to know they are infected until they find a strange charge on their credit card or worse. I don't think it's time to panic and tell all users they must use A-V software, but it's getting closer every day.

In this specific case, just as with the Java vulnerability, is to make certain that they are not using an out-of-date version of Adobe Reader. Of course, some users who are still running legacy OS X (anything less than 10.6.8) may not be able to update all their vulnerable third party software, so they may need to shop for a newer OS or Mac, as the case may be.

MadMacs0 wrote: Of course, some users who are still running legacy OS X (anything less than 10.6.8) may not be able to update all their vulnerable third party software, so they may need to shop for a newer OS or Mac, as the case may be.

Or just use Preview, methinks.

Seems like a Trojan could be programmed to know what to do depending on the user agent.

FWIW, Reader 10 has been "sandboxed." But I'm not sure I'd bet the ranch on it being impervious. Reader 9 keeps getting updates. I have both around -- Reader 9, always updated, for a once yearly internal tax printing session only -- but have Preview set as my default pdf app. The following recommended hardening of Reader, either version, comes courtesy of Anonymous at XYMer's, who recommends uninstalling it as really the best solution. (This was before the advent of Reader 10.)

JavaScript: uncheck "Enable Acrobat JavaScript" and uncheck "Enable menu items JavaScript." Put a check mark next to "Enable global object security policy."

Multimedia Trust (legacy): click the radio button for "Trusted documents" and uncheck "Allow multimedia operations." Then click the radio button for "Other Documents" and again uncheck "Allow multimedia operations."

Security (Enhanced): check "Enable Enhanced Security."

Trust Manager: uncheck "Allow opening of non-PDF file attachments with external applications." Next, under "Internet Access from PDF files outside the web browser" click the button labeled "Change Settings," then select "Block all web sites" and click OK.

Finally, under "Identity," feel free to lie (although you can't change your login name).

When you're done, click OK, quit Adobe Reader, and lock its preference file.

I know nothing of Bit Defender so I will not make comments on its abilities one way or another. I will answer to the point you made about not finding the ~/["my name"]/Library folder.

The Library folder is there but Apple has made it hidden from view for Mac OS X Lion. What I have done is to use the Finder menu Go > Go To Folder... > "~/Library/" (without the quotes) to access the folder. A Finder window will display showing the contents of the hidden folder.

For easier access to that folder, as many open source applications still drop user files in there, I've changed the Finder window view of the Library to columns, allowing me to go to my home directory, then made an alias of the Library folder to keep in my Home folder. This way, whenever I need to get into Library, I simply click on the alias instead of going through the Finder menu options.

Yes, there is a "defaults write" Terminal trick that unhides the folder but Lion updates tend to erase that setting. Aliases do not get erased through OS updates.