Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How do i know if I have malware (Flashback)?

I read tonight that this Malware may have have infected over 600,000 machines.......disguised as Adobe Flash update.


How do I know if I my update was legitimate?


Thanks

Mac Pro, Mac OS X (10.6.8)

Posted on Apr 5, 2012 6:31 PM

Reply
16 replies

Apr 5, 2012 7:33 PM in response to acamarata

acamarata wrote:


I read tonight that this Malware may have have infected over 600,000 machines.......disguised as Adobe Flash update.


How do I know if I my update was legitimate?


Thanks

Read http://reviews.cnet.com/8301-13727_7-57410050-263/mac-flashback-malware-what-it- is-and-how-to-get-rid-of-it-faq/ and follow the instructions. Keep in mind that Flash installs a preference panel in System Preferences and one of the options is whether it will check for updates automatically and alert you to new versions. That's one way to be presented with a Flash update. Another, of course, is the flashback trick.

Apr 5, 2012 11:01 PM in response to acamarata

Here's what I am suggesting as a rudimentary test for some of the known strains of the flashback trojans. Open a terminal window and copy/paste each of the following lines hitting return after each one and note the results:


defaults read ~/.MacOSX/environment

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*


For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.


The third command, ls, just lists the contents of your LaunchAgents, if any. That's additional info to be used in conjunction with the last grep command. If the grep shows any results then that too may indicate infection and again post its results.

May 2, 2013 12:02 AM in response to combaticus

combaticus wrote:


umm is there anyway i can email those results to you, the second thing you said to put it in came up with 4 or 5 items.

Posting e-mail addresses is not allowed in the Forum. There is almost nothing you could post here that would give anything away except the serial number of your Mac and some passwords. If you are uncomfortable revealing you userid, just delete it from what you found. I'd be very surprised if you have 4 or 5 infections in Safari. Most Flashback victims had only one.

The flashback malware may not make my safari crash anymore but i still want rid of it how do i go about doing it

If you are infected by Flashback, it would have been about a year ago now. If you are using OS X 10.6.8 and keep it fully up-to-date, then you have run Apple's Malware Removal Tool several times now which should have cleaned everything up.

Dec 13, 2014 12:16 AM in response to X423424X

would you mind taking a look at this----- I ran your test and i think that i have a problem!!!! I have already deleted Cleanmymac... I also was curious on how to delete thing permanently of the HD if possible, btw i am no computer genius, but i want to learn coding so anything helps and i am willing to try to do stuff in terminal.


Last login: Fri Dec 12 23:37:44 on ttys000

Macintosh:~ username$

Macintosh:~ username$ defaults read ~/.MacOSX/environment

de2014-12-12 23:54:24.586 defaults[541:12863]

Domain /Users/username/.MacOSX/environment does not exist

Macintosh:~ username$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment

2014-12-12 23:56:41.185 defaults[542:13028]

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

Macintosh:~ username$ ls ~la ~/Library/LaunchAgents

ls: ~la: No such file or directory

/Users/username/Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.divx.agent.postinstall.plist

com.genieo.completer.download.plist

com.genieo.completer.update.plist

com.google.keystone.agent.plist

com.macpaw.CleanMyMac.helperTool.plist

com.macpaw.CleanMyMac.trashSizeWatcher.plist

com.macpaw.CleanMyMac.volumeWatcher.plist

com.macpaw.CleanMyMac2Helper.scheduledScan.plist

com.macpaw.CleanMyMac2Helper.trashWatcher.plist

Macintosh:~ username$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/*

/Users/username/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist: <string>/Users/username/.Trash</string>

/Users/username/Library/LaunchAgents/com.macpaw.CleanMyMac2Helper.trashWatcher.p list: <string>/Users/username/.Trash</string>

Macintosh:~ username$

Dec 13, 2014 12:42 AM in response to green9088

This discussion is over two and a half years old, so very little here will be current. Flashback has been extinct for over two years, so you don't need to be concerned with that in any case. You would almost certainly be better off starting a new discussion and completely describe what you are seeing instead of jumping to conclusions about what's wrong. You'll get more help faster that way. It's just the way this forum works best.


That said, you have accidentally installed some sort of adware. The fastest, most effective way to identify and optionally remove all currently known adware is by using AdwareMedic, developed by thomas_r. this Forum's malware guru, owner of TheSafeMac and a colleague of mine.


To understand why this happened and how to avoid such things in the future read John Galt's How to install adware.

Dec 13, 2014 12:54 AM in response to MadMacs0

Wow, I love it..... Thanks for your the awesome response time!!! Yea I have noticed some funky things happening on my mid-2009 macbook pro, for instance when i open programs such as Microsoft word it always asks if i will allow incoming connection, although I have it set to allow in my firewall panel, Do you know why this is happening? BTW i will try that program out asap.


Thank you

How do i know if I have malware (Flashback)?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.