Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

flashback virus

I just read an article about flash player and fake upgrades that give the computer a virus called flashback. How do you know if your Mac has it?

iMac, Mac OS X (10.7), 2.5 GHz Intel Core i5 Processor

Posted on Apr 5, 2012 3:03 PM

Reply
44 replies

Apr 5, 2012 4:16 PM in response to Donald2001

Donald2001 wrote:


If under the safari security I had "warn when visiting a fraudulent website" checked, would it have caught the virus?


No, that's a different issue.


In order to prevent a potential infection with “Flashback” Trojans, Mac users should always obtain their copy of Adobe Flash Player directly from Adobe’s official website and to disable the "Open 'safe' files after downloading" option in Apple's Safari browser to avoid automatically running files downloaded from the Internet. Also, do not turn on Java in Safari Preferences/Security. Few websites use Java. Javascript is something entirely different and should be left active.

Apr 5, 2012 10:22 PM in response to Kappy

We're well past the "bogus adobe plugin installer" stage.


Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:


defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*


For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.


The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

Apr 7, 2012 5:00 AM in response to X423424X

Thanks. I followed your terminal instructions, which are similar to the ones at the f-secure.com site, and I am not infected.


I do remember recently updating Flash, although I don't remember the exact circumstances, so was worried I was infected. I double checked Software Update and I am up-to-date, so I must have gotten lucky and updated in time.


Close one.

Apr 7, 2012 5:10 PM in response to WZZZ

part of the info shown


total 16

drwx----- 4 ("my name" ) staff 136 Dec 25 12:52.

drwx------ 40 ("my name" ) staff 1360 March 15 23:01..

-rw-r--r-- 1 ("my name" ) staff 904 Dec 25 11:51 com.apple.CSConfigDotMacC

ert-(My e mail address)@me.com-SharedServices.Agent.plist

-rw-r---r--@ 1 ("my name") staff 8210 Dec 25 12:52 com.google.keustone.agent.plist


my name is substituted for my name and My e mail adrress is subtituted for my actual e mail address

Apr 8, 2012 12:32 PM in response to WZZZ

What about this:


MacBook:~ my name$ ls -la ~/Library/LaunchAgents

total 48

drwxr-xr-x 8 my name my name 272 Apr 2 14:54 .

drwx------+ 48 my name my name 1632 Mar 30 11:10 ..

-rw-r--r-- 1 my name my name 574 Nov 29 22:30 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

-rw-r--r-- 1 my name 425 Mar 31 2011 com.apple.FolderActions.enabled.plist

-rw-r--r-- 1 my name 517 Mar 31 2011 com.apple.FolderActions.folders.plist

-rw-r--r-- 1 my name 624 May 5 2011 com.google.GoogleContactSyncAgent.plist

-rw-r--r-- 1 root wheel 723 Apr 13 2010 com.hp.printerAgent.plist

-rw-r--r-- 1 my name 677 Aug 28 2011 org.virtualbox.vboxwebsrv.plist

MacBook:~ my name$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

MacBook:~ my name$



Where it says "my name" is where my computer name is. Thanks!


S

flashback virus

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.