Could I still have Flashback if everything comes back negative?

Not likely.

This Java security update removes the most common variants of the Flashback malware.

http://support.apple.com/kb/HT5242?viewlocale=en_US&locale=en_US

Run your Software Updater

>Software Update...

... The way [university] systems

detect and track outbreaks like this is far more advanced than scans run on a local machine so they can often detect

programs while local scans do not"

Not bloody likely is theirs more advanced that Apple's. Your university may have thousands of Macs to maintain. Apple has 58 million.

Tell them you reinstalled the OS and be done with it.

If you installed the latest Java update, or if Java wasn't installed at all, then according to all information now available you are free from Flashback infection. You're not free from incompetent IT administrators.

... a file of Flashback did return.

Thanks for the update.

What is the exact file name and location on your Mac?

A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

The way most utilities like Symantec work, it could easily have been identified as a required OS X component, in which case its removal would corrupt your system.

John Galt wrote:

A "file of Flashback" is too vague to mean anything specific. If it is a new attack this information would be very important.

Yes, too vague to mean anything specific except Symantec is wanting you to buy their software.

Exsiss wrote:

My university emailed me saying they detected Flashback on my Mac and that they were taking my network priveliges away until I wiped my hard drive and reinstalled the OS. I immediately got on Terminal and inputted the lines of code:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Both came back saying the file did not exist. I then ran FlashbackChecker for good measure. It said I was not infected.

Unfortunately, the first set of commands are incomplete and without knowing exactly where you got FlashbackChecker and when, it probably wasn't the correct version for checking the current variant either. I'm just glad you didn't run the first version of Kaspersky's tool which would have locked you out of your account for the same reason.

I don't read anywhere if the Apple Java Update told you there was malware on your computer. It is supposed to notify you if there was, but not if there was not.

I got Symantec and ran a full computer scan and a file of Flashback did return. All responses in Terminal still return as "does not exist". The FlashbackChecker still says I don't have it. I have updated all softwares recommended by Apple. Yet I still have it.

The only tool other than the Apple Updates that I trust is the Flashback Removal app from F-Secure. None of us really know how the Apple MRT works, but your's would be one of the first that indicated it did not.

For that reason, many of us want to know what the file name is/was and where it was found. Can you help us out here?

The file was called .flserv...

That is a Flashback file, though its presence doesn't necessarily indicate an active infection. Did you find that after you ran the Apple removal tool?

Exsiss wrote:

Luckily, I have a free version through my university (of Symantecs).

The FlashbackChecker I had used was the one found at GitHub that was suggested from many sites.

Weirdly enough, even though Symantec's said I had a Flashback file, when I ran their Flashback file detector and removal software that also came back negative for having Flashback.

The file was called .flserv and identified as a OSX.Flashback.K. I believe it was found in Users/myusername. I'm looking through my history to see if that's where it was, but I'm 99% sure it was.

And that is the file all the "i" variant searchers miss. It's the module that should have been trying to communicate out and what your university must have intercepted.

In that case there may well be one more file. Please copy and paste the following Terminal command:

ls -la ~/Library/LaunchAgents

and hit return. Copy and paste the results back here.

Also, can you go to https://www.drweb.com/flashback/ and enter your UUID, if willing, to see if you are in the database. That will help confirm what the University saw as well as possibly establish the date of infection. It's not foolproof as Apple had their collection server shut down for some period of time, thinking they were the bad guys. You would think all these folks would get organized and coordinate these things.

It's a secure site, most of us agree that the UUID can't be used for much of anything (thousands of them have been posted to this forum by now) and Dr. Web has been around for 20 years, so they seem to be a reputable A-V software vendor, just new to the Mac scene.

Let me attempt to clarify the situation with 'Flashback' (or 'Flashfake' according to Kaspersky).

There are reportedly 14 different variations of the Flashback malware. The first 13 versions were Trojan horses. The most recent version (listed as Malware.OSX.Flashback.N by Intego, and .K by some others) is the one that became famous, the one that uses what was an unpatched Java exploit, able to use a drive-by infection to install the initial malware package without any user password permission. That security hole was patched by Apple in their recent series of Java updates for Mac OS X 10.6 and 10.7. Also available to 10.7 users who never installed Java is Apple's Flashback Malware Remover app.

MEANWHILE: The previous 13 variants are still around and people may well continue to become infected. Also, Apple's Flashback Malware Remover (10.7 only) does NOT remove all variants of Flashback. It only removes 'the most common variants'. Therefore, even after running Apple's Remover tool, you may STILL be infected with a variant of Flashback.

How does the school know you're infected? The most likely answer is that they see your specific IP address performing behavior characteristic of the Flashback botnet. ALL variants of Flashback install bot malware onto your Mac and connect it to the overall Flashback botnet. There is a set group of IP destination addresses being used by the Flashback botnet. If your computer is regularly connecting to one or all of those IP addresses, you're infected.

What ELSE can you do to detect and kill off the Flashback malware? There are a number of FREE malware detection programs. Some of them include malware removal tools as well. I suggest you try both of the following:

1) ClamXav. This is a free program that makes use of the ClamAV open source project. Mark Allan provides a Mac GUI on top of ClamAV that makes it easy to use and schedule. You can read about it and get it here:

http://www.clamxav.com/

I am involved with a number of people interested in Mac security who do our best to keep ClamAV up-to-date with the latest Mac malware definitions.

2) Sophos Free AntiVirus for Mac. Sophos writes anti-malware software for small business and enterprise Mac users. But they also offer this free tool that is kept automatically up-to-date with the latest malware definitions. You can read about it and get it here:

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-ed ition.aspx

Both of the free anti-malware tools include removal of malware. Just be certain to keep them up-to-date at all times.

If you would like a full featured, bells and whistles commercial anti-malware program, the best IMHO is Intego's VirusBarrier X6. I own it, use it and like it. They offer a full featured 30-day trial version here:

http://www.intego.com/demo

VirusBarrier costs $50 with charges after the first year for further malware definition updates. You can currently purchase it for $40 via CNET here:

https://www.trialpay.com/cart/?pp=DfSfSo8P&c=7a328be

Take your pick of these three. They all can remove all the variants of Flashback and get you off the Flashback botnet.

:-Derek