Previous 1 2 3 Next 30 Replies Latest reply: Sep 12, 2013 8:11 AM by bhillinger
Deb7000000 Level 1 Level 1 (0 points)

How do i find out if i have flashback trojan. Simple explanation please


iMac, Mac OS X (10.6.8)
  • Rudegar Level 7 Level 7 (21,935 points)

    If you install the java Update from auto Update it Will be removed if you do

  • Deb7000000 Level 1 Level 1 (0 points)

    This couldn't have been simpler! Thank you!

  • WZZZ Level 6 Level 6 (12,660 points)

    Rudegar wrote:

     

    If you install the java Update from auto Update it Will be removed if you do

    Where are you getting that from? AFAIK the update/patch will prevent a new infection (for a time until Java is inevitably exploited again), but not remove an existing one. This is closing the barn door after the horses have escaped.

  • X423424X Level 6 Level 6 (14,205 points)

    Rudegar wrote:

     

    If you install the java Update from auto Update it Will be removed if you do

     

    That is incorrect.  The java security update fixes some security holes in java to protect against the strains of trojans that are trying to uses those flaws in the security to install themselves.  It does nothing to a system that is already infected.  The injected code is still in the infected system.  It may stop further information from being sent to the bad guys but I doubt it since I think the java flaws were only used to get the real non-java code injected.

     

    So don't get complacent. 

     

    Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans.  Open a terminal window and copy past each of the following lines hitting return after each one and note the results:

     

    defaults read ~/.MacOSX/environment

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    ls -la ~/Library/LaunchAgents

    grep "/Users/" ~/Library/LaunchAgents/*

     

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

     

    The third command, ls, just lists the contents of your LaunchAgents, if any.  That's additional info to be used inconjuntion with the last grep command.  If the grep shows any results then that too may indicate infection and again post its results.

  • killhippie Level 3 Level 3 (690 points)

    As has been said the patch is not a Trojan removal tool, a further conversation can be seen here. I don't have Java installed myself, but telling people the patch 'fixes' the issue is reckless

    https://discussions.apple.com/message/18049046#18049046

  • R Tweaky Level 1 Level 1 (0 points)

    I ran the commands that you posted and for the first two i got the "does not exist" so that is clean. And for the other two I got the following:

    This is the ls Command:

     

    total 24

    drwxr-xr-x@  5 Joe  staff   170 Mar 10 12:03 .

    drwx------@ 43 Joe  staff  1462 Mar 10 13:59 ..

    -rw-r--r--   1 Joe  staff   618 Feb 19 09:32 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.D7BA66B7-C0EE-4E6A-B546-EE 300832E399.plist

    -rw-r--r--@  1 Joe  staff   801 Mar 10 12:03 com.google.keystone.agent.plist

    -rw-r--r--   1 Joe  staff   758 Feb 25 16:12 com.valvesoftware.steamclean.plist

     

    This is the grep Command:

     

    /Users/Joe/Library/LaunchAgents/com.google.keystone.agent.plist:            <string>/Users/Joe/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bun dle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwa reUpdateAgent</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:          <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:                     <string>/Users/Joe/Library/Application Support/Steam/SteamApps/steamclean</string>

    /Users/Joe/Library/LaunchAgents/com.valvesoftware.steamclean.plist:                     <string>/Users/Joe/Library/Application Support/Steam/SteamApps</string>

  • X423424X Level 6 Level 6 (14,205 points)

    Well based on those commands I would say you are not infected.

     

    It did tell me one thing though.  I got to fix that grep command the next time I post those commands.  Even though grep displayed stuff when I said it shouldn't in your case it should.  My command is in error on what I intended.  Not your fault.  Mine.

  • R Tweaky Level 1 Level 1 (0 points)

    Its ok, thanks for the usefull information

  • Deb7000000 Level 1 Level 1 (0 points)

    What should the grep command read please?

     

    The defaults returned nothing so thanks for that and thanks for correcting first respondant; should I run virsus software on my mac? where should I go to get it if so. Apple said it wasn't necessary but this has all been a bit of a worry

  • X423424X Level 6 Level 6 (14,205 points)

    Here's my corrected grep command:

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

     

    Hopefully nothing will be displayed unless if finds a reference to a dot file in the LaunchAgents.

     

    As for AV software, I don't recommend it either.  It may only detect what has been not what may come in the future.  And you can be sure something different will be coming.

     

    There's the other school of thought it may be useful as a secondary check.  But AV software can add to the overhead  and sometimes may be unstable.

  • kd17 Level 1 Level 1 (0 points)

    can you tell me how to open a terminal session?  I am most familiar with PC but at home I am a mac.  i use it daily.  thank you

  • X423424X Level 6 Level 6 (14,205 points)

    Terminal is in your Utilities folder.  Open it like any other app and a window will be displayed (which you can enlarge if you want).  Then you can copy/paste each command into the window and hit return.

     

    You should see a "prompt" at the beginning of each line (e.g., "bash-3.2$  ").  The command follows the prompt.

  • Gemztone Level 1 Level 1 (0 points)

    I got environment does not exist for the first two. Then for the next 2. Does my mac look clean? Not sure what I'm looking for. Thx!

     

     

    cg-zarbocks-computer-4:~ Zee2$ ls -la ~/Library/LaunchAgents

    total 32

    drwxr-xr-x   6 Zee2  Zee2   204 Sep 30  2011 .

    drwx------+ 52 Zee2  Zee2  1768 Jun  9  2011 ..

    -rw-r--r--   1 Zee2  Zee2   589 Sep 30  2011 com.adobe.ARM.32fc92aadecf45c6150edfbd059d518c174248ca67bf63e4a9386b86.plist

    -rw-r--r--   1 Zee2  Zee2   589 Feb  8  2010 com.adobe.ARM.925793fb327152fd34795896fa1fb9ffa268b2a852256fe56609efa3.plist

    -rw-r--r--   1 Zee2  Zee2   601 Sep 16  2011 com.adobe.ARM.930da3ce175de4e82bd3cdf1dd8571f74bd3b6a7236bc94bfc00f6e9.plist

    -rw-r--r--   1 Zee2  Zee2   801 Jul  8  2011 com.google.keystone.agent.plist

    cg-zarbocks-computer-4:~ Zee2$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

    cg-zarbocks-computer-4:~ Zee2$

  • X423424X Level 6 Level 6 (14,205 points)

    Those look ok.

Previous 1 2 3 Next