The Flashback malware removal tool (I'm running v10.5.8) appears to be causing big problems with an online game that my daughters play. How can I uninstall/delete this from my Mac? What is the file is installs called and where does it reside?
iMac, Mac OS X (10.5.8)
It shouldn't cause problems. It checks various places and removes the malware components only.
What kind of problems are you having and what makes you think it is the removal tool.
bmath2 wrote:
The Flashback malware removal tool (I'm running v10.5.8) appears to be causing big problems with an online game that my daughters play. How can I uninstall/delete this from my Mac? What is the file is installs called and where does it reside?
The files installed are all deleted after running once, so none of them are still on your Mac.
I don't know for sure that the removal tool is causing any problems. Could be a coincidence but the the problems with the online game my girls play (a SOE online game) started right after I accepted that update from the Software Update on my Mac. They had been successully playing the game for months prior. I spoke to the techs at SOE and was told that several similar problems from Mac users had started to come into their call center within the past couple of days. I don't know, but I suspect they were from Mac users running Leopard who had just a day or two before accepted this same security update. At the time I spoke to the tech they didn't know either but were going to research it.
Again, I have no way to really know if the update is responsible, but that is the only thing that changed with my Mac (no other software updated or anything of the kind around that time). Could be a coincidence with the timing, but given the uptick in reports to the SOE tech call center on top of my problem, I suspect that somehow the update is responsible.
Thanks. I figured that must be the case since I was able to find nothing related on my Mac.
Also, in answer to what kinds of problems am I having: the game is a MMORP. Software and a plug-in have to be installed to play. As I said, my daughters played for months with no problems but recently, after they log in and begin to move their character around and/or use the chat feature, this error message pops up and the software exits play mode:
Exception Raised: Unhandled page fault on read access to 0x0000002b at address 0x007cfb18. Do you wish to debug it?
(the codes vary but the rest of the message is consistent)
bmath2 wrote:
Also, in answer to what kinds of problems am I having: the game is a MMORP. Software and a plug-in have to be installed to play.
About all I can suggest is that you reinstall that plugin in case it was somehow damaged by the Flashback MRT or hope that MMORP tech support comes up with something.
You should probably let Apple know at http://www.apple.com/feedback/macosx.html but I suspect they won't be too interested since they are just barely supporting 10.5.8 at this point.
I doubt that anybody here has information on exactly what the Flashback MRT does as Apple has kept that a closely guarded secret since it's security related. I do know most all of the files that were installed by Flashback with over two dozen variants and none of them were installed in the usual plugin locations. IIRC it mostly involves the user's home folder, Safari, Firefox, Chrome, /Users/Shared/ and some temp files in the unix portion of OS X.
Exactly which leopard update did you install?
Was it the Leopard Security Update 2012-00 ?
I WISH APPLE WOULD STOP THAT D@MN 15 MINUTE TIME LIMIT! I CANNOT EVEN FINISH A POST I START AND DON'T EVEN TO GET A CHANCE TO CORRECT THE ONE I HAVE CURRENTLY OPEN FOR EDITING. THE CLOCK SHOULDN'T START COUNTING UNTIL IT IS ACTUALLY POSTED NOR COUNT WHILE BEING ACTIVELY EDITED. VERY FRUSTRATING. ðŸ˜
----------------
AS I WAS TRYING TO SAY...
Exactly which leopard update did you install?
Was it the Leopard Security Update 2012-003 ?
If so copy/paste the following lines in the terminal (in Utilities):
sudo killall -9 FlashUpdaterAgent
sudo killall -9 flashupdater
Answer the prompt for your admin password (it will not echo).
Then copp/paste:
ps ax | grep -i FlashUpdaterAgent | grep -v grep
ps ax | grep -i flashupdater | grep -v grep
If nothing is displayed try playing your game(s) to see if they work. If they do post that and I'll tell you how to get rid of FlashUpdaterAgent and flashupdater permanently. This is stuff installed by that security update. Fortunately that update only added stuff and didn't change existing stuff so it's easy to uninstall.
Thanks MadMacs0. I did reinstall the plug-in and software, tried different browsers, etc. To no avail. I'll go ahead and let Apple know. And I ordered my Snow Leopard disc, which will arrive tomorrow. Going to upgrade to that and then Mountain Lion from there in a couple months.
What was installled was called Flashback Removal Update 1.0. That's verbatim how it appears in the Software Update.
Flashback Removal Security Update 1.0
Ok, that one can be disabled too. Same method I described above except using hte followin set of instructions (slightly changed grep):
sudo killall -9 MRT
sudo killall -9 MRTAgent
sudo killall -9 JavaDisabler
ps ax | grep -w MRT | grep -v grep
ps ax | grep -w MRTAgent | grep -v grep
ps ax | grep -w JavaDisabler | grep -v grep
The MRT is a "watcher" process continually looking for flashback-like code injections. This was also added to the java updaters for snow leopard and lion.
This update can be "uninstalled" since it too doesn't clobber existing code.
X423424X wrote:
The MRT is a "watcher" process continually looking for flashback-like code injections. This was also added to the java updaters for snow leopard and lion.
You seem to be saying that the MRT does not delete itself upon completion of one run which was the case with the Snow Leopard and Lion installations according to this MacFixIt article A look at Apple's Flashback removal tool and confirmed by dozens of users who were unable to locate it after installation?
Upon completion of its scan, the MRT command line tool, the MRTAgent program, and the launch agent scripts used for it will be deleted from your system.
If so one or more of the following files should still be in the OP's system:
You got them all.
I was under the assumption it remained solely based on static analysis of the FlashbackRemovalUpdate.pkg. Plus I thought that it would remain based on what I recall from some posts that mentioned seeing a dialog being posted sometime after the installation saying flashback stuff has been detected and removed. Maybe my memory is faulty here and you are correct. I didn't know about that cnet article and I can't test it for myself since I use 10.6.5.
I guess we'll find out if the OP says he can't find that stuff. If it truly isn't there then the OP is of course incorrect that this update has anything to do with his problem.
X423424X wrote:
I was under the assumption it remained solely based on static analysis of the FlashbackRemovalUpdate.pkg.
I have had to do the same thing which means I don't know much of anything about what MRT actually does. It first appeared during the MacDefender days and then even Apple told us it was a one-time run. I assume that's so they can re-release it to look for different files each time to keep up with changes. I once thought they used the XProtect definitions to find files, but since there aren't any for the Java Flashback variants, it must come with it's own list of files to go after.
I disassembled MRT. That seems to be where all the action is. I see explicit references to many of the flashback pathnames so it's the file doing the search and destroy.
I also see all the installer's own pathnames used to create a array. But it's not immideiatly obvious how they are removing them. It wasn't worth digging any deeper.
Flashback removal causing problems?
