Flashback trojan

And you can learn more about this on tonight's News Channel 12 Long Island's story. See http://www.news12.com/blogs.jsp?widgetblogslink=http://blogs.news12.com/longisla nd/2012/04/06/the-mac-attack/

Sorry I'm not sure what I'm looking at either. How does this look for the third and fourth commands?

alex-johnsons-MacBook-Pro:~ alexjohnson$ ls -la ~/Library/LaunchAgents

total 32

drwxr-xr-x 6 alexjohnson staff 204 Sep 10 2011 .

drwx------+ 35 alexjohnson staff 1190 Apr 6 21:50 ..

-rw-r--r-- 1 alexjohnson staff 572 Apr 14 2011 com.apple.FTMonitor.plist

-rw-r--r-- 1 alexjohnson staff 411 Feb 10 2011 com.apple.imagent.plist

-rw-r--r-- 1 alexjohnson staff 447 Feb 10 2011 com.apple.marcoagent.plist

-rw-r--r-- 1 alexjohnson staff 808 Sep 10 2011 com.google.keystone.agent.plist

alex-johnsons-MacBook-Pro:~ alexjohnson$ grep "/Users/" ~/Library/LaunchAgents/*/Users/alexjohnson/Library/LaunchAgents/com.google.keys tone.agent.plist: <string>/Users/alexjohnson/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUp date.bundle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/Goog leSoftwareUpdateAgent</string>

I had revised the fourht command to the following later in this thread because the original grep was showing too much:

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

This one produces a lot less for its results. In your case it woudn't have produced anything. I don't see what these are looking for in your list.

Thanks for all of the help so far - much appreciated.

For the last grep command, when you say "shouldn't have produced anything," can we expect a "does not exist" return or is there really nothing at all?

Ex:

ray-imac-3:~ leah$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

ray-imac-3:~ leah$

Also, I received the following for the third command. I'm not entirely sure what I'm looking at, so any help is fantastic.

ray-imac-3:~ leah$ ls -la ~/Library/LaunchAgents

total 40

drwx------ 7 leah staff 238 Apr 6 13:57 .

drwx------@ 50 leah staff 1700 Dec 13 09:21 ..

-rw-r--r-- 1 leah staff 589 Nov 8 2009 com.adobe.ARM.32fc92aadecf45c6150edfbd059d518c174248ca67bf63e4a9386b86.plist

-rw-r--r-- 1 leah staff 618 Nov 9 07:29 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.A2BC506E-6C89-4202-A8BF-6A 6976DF5E23.plist

-rw-r--r-- 1 leah staff 425 Feb 1 08:36 com.apple.FolderActions.enabled.plist

-rw-r--r-- 1 leah staff 517 Apr 6 13:57 com.apple.FolderActions.folders.plist

-rw------- 1 leah staff 813 Sep 19 2010 com.apple.SafariBookmarksSyncer.plist

Thanks!

mikelberry wrote:

Thanks for all of the help so far - much appreciated.

For the last grep command, when you say "shouldn't have produced anything," can we expect a "does not exist" return or is there really nothing at all?

Ex:

ray-imac-3:~ leah$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

ray-imac-3:~ leah$

Exactly what I said, it had no results so it didn't find what it was looking for, thus it looks ok.

And if I type into terminal java -version; I get the message 'Unable to locate java runtime to invoke.' What does this mean?

I think you have turned java off globally using the Java Preferrences (in Utilities) or you don't have java installed in the first place (I think it's optional in Lion).

Big thank you, X423424X.

Yes, Java is disabled on both my browsers; I don't have Lion. I was following a suggestion in another thread and ended up with that message.

Thanks again.

Thanks for your time and help 🙂 I ran the updated command and it just jumped to a new line nothing was displayed and for the others you sed its clean so its ok 🙂 Thank you.

Glad all you guys are still clean, but remember the "bad guys" are always looking for new ways to get in so we're never completely safe.

Thank you - clear here!

Leopard 10.5.8

Helen

Does this one look clean.

My antivirus is going crazy about the com.valvesoftware.steamclean.plist

2013-03-15 20:04:28.028 defaults[296:707]

Domain /Users/jackson/.MacOSX/environment does not exist

Jacksons-MacBook-Pro:~ jackson$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/" ~/Library/LaunchAgents/*

2013-03-15 20:04:28.050 defaults[297:707]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Jacksons-MacBook-Pro:~ jackson$ ls -la ~/Library/LaunchAgents

total 24

drwxr-xr-x 4 jackson staff 136 Mar 15 19:59 .

drwx------@ 51 jackson staff 1734 Mar 10 11:34 ..

-rw-r--r--@ 1 jackson staff 6148 Mar 15 19:56 .DS_Store

-rw-r--r-- 1 jackson staff 767 Mar 15 19:59 com.valvesoftware.steamclean.plist

Jacksons-MacBook-Pro:~ jackson$ grep "/Users/" ~/Library/LaunchAgents/*

<string>/Users/jackson/Library/Application Support/Steam/SteamApps/steamclean</string>

<string>/Users/jackson/Library/Application Support/Steam/SteamApps/steamclean</string>

<string>/Users/jackson/Library/Application Support/Steam/SteamApps</string>

Whatever 'Steamclean' is, get rid of it.

First, this tread is almost a year old and the methods outlined here no longer reflect the correct way to remove subject malware.

CaesarCalad wrote:

Does this one look clean.

My antivirus is going crazy about the com.valvesoftware.steamclean.plist

What antivirus and I'm guessing the infection name is something similar to Trojan.flashback?

What OS X are you using? Are you on an intel Mac, as this forum seems to indicate?

The appropriate way to clean up the Flashback malware is to use Software Update with OS X 10.6.8 and above until all updates are installed.

If you have you are already up-to-date then download and run this Flashback Removal Tool.

Then check to make sure that none of the following is still present on your hard drive:

/Users/jackson/Library/LaunchAgents/com.valvesoftware.steamclean.plist

/Users/jackson/Library/Applications Support/Steam (a folder)

If they are still there, drag them to the trash and empty it.

If you are running OS X 10.7 or above your Library folder will be invisible. In order to access it you will need to hold the Option key down and select "Library" from the Finder's "Go" menu.

Sorry for digging up an older tread, but I came here from Google and I don't want others to be misinformed if they read that Steam or "steamclean" is bad.

"steamclean" is a part of the very popular gaming platform/store Steam from Valve, which has a very good reputation. I'm using Steam myself, and many of my friends do (not only on OS X, but on Windows and Linux too), no one has ever encountered a problem related to security (the app itself isn't the most stable on OS X).

Link for further information: http://store.steampowered.com/