Apple Event: May 7th at 7 am PT
I used Sophos Anti-Virus and it said I have a OSX/Flshplyr-E Trojan but I'm unsure how to get rid of it as it says it needs to be removed manually? someone help please!😕
MacBook Pro, Mac OS X (10.7.4)
/.MobileBackups/Computer/2013-06-04-080922/Volume/Library/Application Support/Apple/.SafariArchive.tar.gz
original location: /applications/safari.app/Contents/resources/.dialupmagic.xsl
I'm not sure what the "original location" part means. Sophos should show you four columns in its Quarantine Manager window: Date, Threat (which would say something like OSX/Flshplyr-E for this malware), Filename (which is just the file's name) and Action Available. If you were to click on that item in the Quarantine Manager, it should show mostly the same information, but will show the full path and the file name. I've never seen it show anything called "original location." Is this actually from Sophos?
As for what these files are, the .SafariArchive.tar.gz is simply, as was said earlier, an old copy of Safari that has been temporarily archived following an update. The fact that it is in the .MobileBackups folder means that it was deleted on June 4, and because you must be using Time Machine on a laptop, it was placed into your "local snapshots." It will be kept there for one week, then deleted. For more information about this, see:
The second path represents a part of the malware that would have been found inside Safari. Since you are running Mac OS X 10.7.5 and Safari 6.0.5, that file should no longer be there and you should not have an active infection any longer. Updates would have cured the infection at some point, though I'm betting that you didn't actually update until very recently.
The big question would be, is Sophos still seeing that .dialupmagic.xsl file inside your current version of Safari?That shouldn't be possible, but just to check, open the Terminal and enter the following command:
ls -al /Applications/Safari.app/Contents/Resources/ | grep ' \.'
(Make sure to copy this command and paste it in, to ensure that it is exact.)
The output of this command should be something like this:
drwxr-xr-x 533 root wheel 18122 Jun 4 18:10 . drwxr-xr-x 9 root wheel 306 Jun 4 18:10 ..
If you see anything else, post the output here.
I don't think I have any use for that file, but Thomas may still be interested.
Nah, I've got more than enough samples of Flashback at this point! 🙂
hi thomas,
this is what i get when i put the command in the terminal
drwxr-xr-x 643 root wheel 21862 Jun 6 10:50 .
drwxr-xr-x 10 root wheel 340 Jun 4 19:20 ..
is this ok ?
Kmontoya19 wrote:
drwxr-xr-x 643 root wheel 21862 Jun 6 10:50 .
drwxr-xr-x 10 root wheel 340 Jun 4 19:20 ..
is this ok ?
Yes.
thanks guys for all the help
How do I get rid of malware called OSX/Flshplyr-E?
