Dr Web Flashback Virus checker accurate?

etresoft wrote:

MadMacs0 wrote:

I still cannot comment on your Tip, so either I don't know how or I don't have permission.

It must be a permissions issue. There must be some level of points you need to add a comment. Can you see the comments I made?

Yes, I saw three of your comments when I was there and I clicked all over the screen but nothing let me in. I assume it looks something like the "Reply" button in the lower right?

I suspect it's a point thing which seems to be of great importance to the host for some reason.

etresoft wrote:

Apple provides many facilities, one of which is the DYLD_INSERT_LIBRARIES, that are only for development or testing.

Environment.plist is not for testing.

You shouldn't deliver using those hacks.

If environment.plist is a hack, then it is a hack designed by Apple, made by Apple, supported by Apple, and indicated to developers by Apple (see the two developer library docs I referred above). You'll forgive me if, between Apple's recommandation and yours, I go with Apple's.

Don't use environment variables. […] Again, environment.plist is the wrong answer.

Please explain that to Apple. They've been providing and supporting the wrong answer for, what is it now? Over 10 years? Since v10.0 or thereabouts?

I have no .MacOSX/environment.plist file. I have a great number of highly unusual system modifications. If you have something so unusual that I don't have, you don't want it.

With great respect, I'm not about to consider that your configuration is the proper measure for all Mac OS X users. Between Apple and BareBones (who've been developing Mac software for over twenty years now) on one side, and you on the other side, with regret, I'll have to choose the former.

fane_j wrote:

Environment.plist is not for testing.

I never said it was. I said DYLD_INSERT_LIBRARIES is for testing. Environment.plist is for lazy programmers.

If environment.plist is a hack, then it is a hack designed by Apple, made by Apple, supported by Apple, and indicated to developers by Apple (see the two developer library docs I referred above). You'll forgive me if, between Apple's recommandation and yours, I go with Apple's.

There is a great deal in Apple's example code, documentation, and in the operating system itself that should not be used in production code. A competent, professional developer will know which ones those are.

Please explain that to Apple. They've been providing and supporting the wrong answer for, what is it now? Over 10 years? Since v10.0 or thereabouts?

I'm sorry, but if you don't get it then you just don't get it. I can't do any more to explain it. I don't even rely on environment variables when I'm writing pure command-line scripts on Linux. If I have 3rd party software that does require them, I set them up in my own, controlled environment using resource files and then kick off the third party tools in the properly setup environment. I would never stick a file in a user's home directory for that.

With great respect, I'm not about to consider that your configuration is the proper measure for all Mac OS X users. Between Apple and BareBones (who've been developing Mac software for over twenty years now) on one side, and you on the other side, with regret, I'll have to choose the former.

BBEdit only uses that file to run scripts from the GUI. I'm quite sure that it isn't required. People using BBEdit probably know how to deal with that file. If it gets blown away, they can easily restore it. (And, for the record, I've been developing Mac software for 25 years now).

Does the following show infection of flashback or flashfake etc? I followed some instructions about Launchagents but don't know how to read them

ls -la ~/Library/LaunchAgents

grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

William-Nicols-iMac:~ billynicol$ ls -la ~/Library/LaunchAgents

total 64

drwx------ 9 billynicol staff 306 9 Apr 22:26 .

drwx------@ 59 billynicol staff 2006 9 Apr 22:21 ..

-rw-r--r--@ 1 billynicol staff 6148 9 Apr 22:26 .DS_Store

-rw-r--r-- 1 billynicol staff 618 12 Oct 21:00 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.2DF3B7F9-9CFE-47E0-BE4C-51 E3F211FE7E.plist

-rw-r--r-- 1 billynicol staff 901 28 Feb 2011 com.apple.CSConfigDotMacCert-billynicol@me.com-SharedServices.Agent.plist

-rw-r--r-- 1 billynicol staff 817 28 Feb 2011 com.apple.SafariBookmarksSyncer.plist

-rw-r--r-- 1 billynicol staff 540 28 Feb 16:47 com.avast.install.plist

-rw-r--r-- 1 billynicol staff 807 9 Jul 2011 com.google.keystone.agent.plist

-rw-r--r-- 1 billynicol staff 776 16 Sep 2011 com.valvesoftware.steamclean.plist

William-Nicols-iMac:~ billynicol$

William-Nicols-iMac:~ billynicol$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

William-Nicols-iMac:~ billynicol$

and

The stuff in ~/Library/LaunchAgents looks OK.

Check using this new Kaspersky tool.

https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

WZZZ wrote:

The stuff in ~/Library/LaunchAgents looks OK.

Check using this new Kaspersky tool.

https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

Just had an instance of a user being locked out of his account using this tool Re: Non-Apple Software No Longer Works . I think it's recoverable, but proceed with caution.

etresoft wrote:

Environment.plist is for lazy programmers.

As I said, you're welcome to your opinion. AFAIC, any programmer who uses what Apple provides in the manner Apple recommends and for the purposes Apple designed it, is a good programmer.

I've been developing Mac software for 25 years now).

That's admirable, and deserves respect. Nevertheless, it doesn't give you the right to set yourself up as the final arbiter of a user's configuration ("If you have something so unusual that I don't have, you don't want it."). And, with the greatest respect, between you on one side, and Apple and Rich Siegel on the other, I'll go with them.

Does anyone know or have an opinion please?

I found the ".flserv" and "com.adobe.flp.plist" on my imac, but when I checked using instructions from http://brakertech.com/detect-mac-flashback/ through terminal it suggested my system is clear.

I also checked through Kaperskyhttp://www.flashbackcheck.com/ and if I put my mac UUID in, it says I am or have been infected. I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct? I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

billynicol wrote:

Does anyone know or have an opinion please?

I found the ".flserv" and "com.adobe.flp.plist" on my imac, but when I checked using instructions from http://brakertech.com/detect-mac-flashback/ through terminal it suggested my system is clear.

That suggests you shouldn't use that tool.

I also checked through Kaperskyhttp://www.flashbackcheck.com/ and if I put my mac UUID in, it says I am or have been infected. I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct? I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

No way to tell at this point. There are a couple of different places that could have malware installed. Have you checked them all?

Apple says it will release a removal tool soon. Until then, you can check the results of:

cat ~/.MacOSX/environment.plist

If you are tired of using these Terminal commands, you can try my removal script at: https://discussions.apple.com/docs/DOC-3271

Just remember to accept default. Press "enter" if you aren't sure.

billynicol wrote:

I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct?

No-one can give you that assurance. Over the past weeks, this malware has been developed very quickly (and, IMHO, by more that one person or one group), in different variants. As a result, I doubt that anyone can provide a definitive list of what it installs and where and in what phase.

I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

The stress being on "imagine". Yes, you may be OK. Or your credit card and bank account info may be right now on sale…

billynicol wrote:

Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

The only other symptom reported by users infected with the current variant (as well as some previous) was occasionally being suddenly redirected to an advertising site. If you start seeing that you might want to dig deeper.

F-Secure just released a free Flashback detection and removal tool:

http://www.f-secure.com/weblog/archives/00002346.html

I'm still not ready to put an AV full time on my computer (except, that is, for ClamXav, which I have), but It's probably making a lot of us do some second guessing.

jo823 wrote:

I did download Little Snitch, but was wondering if anyone felt the need to run an Anti-Virus program on their Macs as well? I didn't get one initially because everyone at the Apple Store said it wasn't necessary, but this latest experience has me second-guessing myself. Any recommendations?

I don't even run anti virus on Windows 🙂

This is the first actual malware that I can remember on MacOS X in 12 years. All of the other ones required the user be tricked into installing them. The actual security hole was in Java from 5 years before MacOS X. The actual infection is pitifully easy to remove. Apple has already removed Java from the default installation of the operating system and is taking additional steps to make it more secure in the future. I don't think there is anything to worry about.