Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Flashback trojan

How do i find out if i have flashback trojan. Simple explanation please

iMac, Mac OS X (10.6.8)

Posted on Apr 5, 2012 12:42 PM

Reply
Question marked as Best reply

Posted on Apr 5, 2012 1:16 PM

If you install the java Update from auto Update it Will be removed if you do

30 replies

Apr 5, 2012 1:47 PM in response to Rudegar

Rudegar wrote:


If you install the java Update from auto Update it Will be removed if you do

Where are you getting that from? AFAIK the update/patch will prevent a new infection (for a time until Java is inevitably exploited again), but not remove an existing one. This is closing the barn door after the horses have escaped.

Apr 5, 2012 1:50 PM in response to Rudegar

Rudegar wrote:


If you install the java Update from auto Update it Will be removed if you do


That is incorrect. The java security update fixes some security holes in java to protect against the strains of trojans that are trying to uses those flaws in the security to install themselves. It does nothing to a system that is already infected. The injected code is still in the infected system. It may stop further information from being sent to the bad guys but I doubt it since I think the java flaws were only used to get the real non-java code injected.


So don't get complacent.


Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy past each of the following lines hitting return after each one and note the results:


defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/" ~/Library/LaunchAgents/*


For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.


The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used inconjuntion with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

Apr 5, 2012 3:30 PM in response to X423424X

I ran the commands that you posted and for the first two i got the "does not exist" so that is clean. And for the other two I got the following:

This is the ls Command:


total 24

drwxr-xr-x@ 5 Joe staff 170 Mar 10 12:03 .

drwx------@ 43 Joe staff 1462 Mar 10 13:59 ..

-rw-r--r-- 1 Joe staff 618 Feb 19 09:32 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D7BA66B7-C0EE-4E6A-B546-EE 300832E399.plist

-rw-r--r--@ 1 Joe staff 801 Mar 10 12:03 com.google.keystone.agent.plist

-rw-r--r-- 1 Joe staff 758 Feb 25 16:12 com.valvesoftware.steamclean.plist


This is the grep Command:


/Users/Joe/Library/LaunchAgents/com.google.keystone.agent.plist: <string>/Users/Joe/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bun dle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwa reUpdateAgent</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

/Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist: <string>/Users/Joe/Library/Application Support/Steam/SteamApps</string>

Apr 6, 2012 2:19 AM in response to Deb7000000

Here's my corrected grep command:


grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*


Hopefully nothing will be displayed unless if finds a reference to a dot file in the LaunchAgents.


As for AV software, I don't recommend it either. It may only detect what has been not what may come in the future. And you can be sure something different will be coming.


There's the other school of thought it may be useful as a secondary check. But AV software can add to the overhead and sometimes may be unstable.

Apr 6, 2012 2:29 AM in response to kd17

Terminal is in your Utilities folder. Open it like any other app and a window will be displayed (which you can enlarge if you want). Then you can copy/paste each command into the window and hit return.


You should see a "prompt" at the beginning of each line (e.g., "bash-3.2$ "). The command follows the prompt.

Apr 6, 2012 5:22 PM in response to Deb7000000

I got environment does not exist for the first two. Then for the next 2. Does my mac look clean? Not sure what I'm looking for. Thx!



cg-zarbocks-computer-4:~ Zee2$ ls -la ~/Library/LaunchAgents

total 32

drwxr-xr-x 6 Zee2 Zee2 204 Sep 30 2011 .

drwx------+ 52 Zee2 Zee2 1768 Jun 9 2011 ..

-rw-r--r-- 1 Zee2 Zee2 589 Sep 30 2011 com.adobe.ARM.32fc92aadecf45c6150edfbd059d518c174248ca67bf63e4a9386b86.plist

-rw-r--r-- 1 Zee2 Zee2 589 Feb 8 2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

-rw-r--r-- 1 Zee2 Zee2 601 Sep 16 2011 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

-rw-r--r-- 1 Zee2 Zee2 801 Jul 8 2011 com.google.keystone.agent.plist

cg-zarbocks-computer-4:~ Zee2$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

cg-zarbocks-computer-4:~ Zee2$

Flashback trojan

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.