flashback virus
I just read an article about flash player and fake upgrades that give the computer a virus called flashback. How do you know if your Mac has it?
iMac, Mac OS X (10.7), 2.5 GHz Intel Core i5 Processor
I just read an article about flash player and fake upgrades that give the computer a virus called flashback. How do you know if your Mac has it?
iMac, Mac OS X (10.7), 2.5 GHz Intel Core i5 Processor
If under the safari security I had "warn when visiting a fraudulent website" checked, would it have caught the virus?
Donald2001 wrote:
If under the safari security I had "warn when visiting a fraudulent website" checked, would it have caught the virus?
No, that's a different issue.
In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.
I do not recall ever "updating" flash player from a pop up. But I don't know if my kids may have done it. I need a step by step description on where to look for the trojan. Most of the answers I have seen start at a place I don't know how to get to. BTW I have turned off Java.
It's not a virus, it's a trojan. Not the same. Nor does it's presence mean a fraudulent website. And, if you got the trojan I'm not sure a warning would have helped you. You should know better than clicking on stuff you know nothing about.
We're well past the "bogus adobe plugin installer" stage.
Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:
defaults read ~/.MacOSX/environment
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
ls -la ~/Library/LaunchAgents
grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*
For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.
The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.
Thanks. I followed your terminal instructions, which are similar to the ones at the f-secure.com site, and I am not infected.
I do remember recently updating Flash, although I don't remember the exact circumstances, so was worried I was infected. I double checked Software Update and I am up-to-date, so I must have gotten lucky and updated in time.
Close one.
Thanks for the help everyone but I am not too swift, computer wise. What is a terminal Window and how do you get to it?
One easy way is to open Spotlight and start typing Terminal.
When an application called Terminal appears in the search list double click it.
Allan
I think I am ok. When I terminal window I typed in the first twp lines suggested by x423424x i got the does not exist response each time. When I typed in the third line I did get a couple of things but when I typed in the last line I just got my prompt.
thanks everyone
Not so fast. What did you get from the third line?
part of the info shown
total 16
drwx----- 4 ("my name" ) staff 136 Dec 25 12:52.
drwx------ 40 ("my name" ) staff 1360 March 15 23:01..
-rw-r--r-- 1 ("my name" ) staff 904 Dec 25 11:51 com.apple.CSConfigDotMacC
ert-(My e mail address)@me.com-SharedServices.Agent.plist
-rw-r---r--@ 1 ("my name") staff 8210 Dec 25 12:52 com.google.keustone.agent.plist
my name is substituted for my name and My e mail adrress is subtituted for my actual e mail address
I just ran the directions shown on F-Secure as recommended by Kappy in Terminal and i got the does not exist answer.
Those look OK.
What about this:
MacBook:~ my name$ ls -la ~/Library/LaunchAgents
total 48
drwxr-xr-x 8 my name my name 272 Apr 2 14:54 .
drwx------+ 48 my name my name 1632 Mar 30 11:10 ..
-rw-r--r-- 1 my name my name 574 Nov 29 22:30 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 my name 425 Mar 31 2011 com.apple.FolderActions.enabled.plist
-rw-r--r-- 1 my name 517 Mar 31 2011 com.apple.FolderActions.folders.plist
-rw-r--r-- 1 my name 624 May 5 2011 com.google.GoogleContactSyncAgent.plist
-rw-r--r-- 1 root wheel 723 Apr 13 2010 com.hp.printerAgent.plist
-rw-r--r-- 1 my name 677 Aug 28 2011 org.virtualbox.vboxwebsrv.plist
MacBook:~ my name$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*
MacBook:~ my name$
Where it says "my name" is where my computer name is. Thanks!
S
flashback virus