Flashback trojan

If you install the java Update from auto Update it Will be removed if you do

Rudegar wrote:

If you install the java Update from auto Update it Will be removed if you do

Where are you getting that from? AFAIK the update/patch will prevent a new infection (for a time until Java is inevitably exploited again), but not remove an existing one. This is closing the barn door after the horses have escaped.

Rudegar wrote:

If you install the java Update from auto Update it Will be removed if you do

That is incorrect. The java security update fixes some security holes in java to protect against the strains of trojans that are trying to uses those flaws in the security to install themselves. It does nothing to a system that is already infected. The injected code is still in the infected system. It may stop further information from being sent to the bad guys but I doubt it since I think the java flaws were only used to get the real non-java code injected.

So don't get complacent.

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy past each of the following lines hitting return after each one and note the results:

defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/" ~/Library/LaunchAgents/*

For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used inconjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

As has been said the patch is not a Trojan removal tool, a further conversation can be seen here. I don't have Java installed myself, but telling people the patch 'fixes' the issue is reckless

https://discussions.apple.com/thread/3855204?answerId=18049046022#18049046022

I ran the commands that you posted and for the first two i got the "does not exist" so that is clean. And for the other two I got the following:

This is the ls Command:

total 24

drwxr-xr-x@ 5 Joe staff 170 Mar 10 12:03 .

drwx------@ 43 Joe staff 1462 Mar 10 13:59 ..

-rw-r--r-- 1 Joe staff 618 Feb 19 09:32 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D7BA66B7-C0EE-4E6A-B546-EE 300832E399.plist

-rw-r--r--@ 1 Joe staff 801 Mar 10 12:03 com.google.keystone.agent.plist

-rw-r--r-- 1 Joe staff 758 Feb 25 16:12 com.valvesoftware.steamclean.plist

This is the grep Command:

/Users/Joe/Library/LaunchAgents/com.google.keystone.agent.plist: <string>/Users/Joe/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bun dle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwa reUpdateAgent</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps</string>

Well based on those commands I would say you are not infected.

It did tell me one thing though. I got to fix that grep command the next time I post those commands. Even though grep displayed stuff when I said it shouldn't in your case it should. My command is in error on what I intended. Not your fault. Mine.

Its ok, thanks for the usefull information 🙂

Here's my corrected grep command:

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

Hopefully nothing will be displayed unless if finds a reference to a dot file in the LaunchAgents.

As for AV software, I don't recommend it either. It may only detect what has been not what may come in the future. And you can be sure something different will be coming.

There's the other school of thought it may be useful as a secondary check. But AV software can add to the overhead and sometimes may be unstable.

can you tell me how to open a terminal session? I am most familiar with PC but at home I am a mac. i use it daily. thank you

Terminal is in your Utilities folder. Open it like any other app and a window will be displayed (which you can enlarge if you want). Then you can copy/paste each command into the window and hit return.

You should see a "prompt" at the beginning of each line (e.g., "bash-3.2$ "). The command follows the prompt.

I got environment does not exist for the first two. Then for the next 2. Does my mac look clean? Not sure what I'm looking for. Thx!

cg-zarbocks-computer-4:~ Zee2$ ls -la ~/Library/LaunchAgents

total 32

drwxr-xr-x 6 Zee2 Zee2 204 Sep 30 2011 .

drwx------+ 52 Zee2 Zee2 1768 Jun 9 2011 ..

-rw-r--r-- 1 Zee2 Zee2 589 Sep 30 2011 com.adobe.ARM.32fc92aadecf45c6150edfbd059d518c174248ca67bf63e4a9386b86.plist

-rw-r--r-- 1 Zee2 Zee2 589 Feb 8 2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

-rw-r--r-- 1 Zee2 Zee2 601 Sep 16 2011 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

-rw-r--r-- 1 Zee2 Zee2 801 Jul 8 2011 com.google.keystone.agent.plist

cg-zarbocks-computer-4:~ Zee2$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

cg-zarbocks-computer-4:~ Zee2$

Those look ok.

Thank you!