Previous 1 2 Next 20 Replies Latest reply: Jun 7, 2013 11:18 AM by Kmontoya19
jackmorty Level 1 (0 points)

I used Sophos Anti-Virus and it said I have a OSX/Flshplyr-E Trojan but I'm unsure how to get rid of it as it says it needs to be removed manually? someone help please!

MacBook Pro, Mac OS X (10.7.4)
  • thomas_r. Level 7 (30,640 points)

    Are you actually running 10.7.4, as your profile indicates?  If so, you shouldn't have that at all, because the system updates you have installed should have removed it (if present) and then prevented future infections.  If you do have 10.7.4, I'm not sure how that got there.  Did you by any chance copy a whole user folder from another machine, or from a backup, onto your computer?


    If Sophos won't remove it for you, you could try F-Secure’s removal tool.


    For more information about Flashback, see About the Flashback malware.

  • Austin Kinsella1 Level 6 (11,510 points)

    Read Topher Kessler but unless you installed Jave yourself it is unlikely that 10.7.4 would be infected.

  • jackmorty Level 1 (0 points)

    I have tried F-Secure's removal tool and it couldnt find anything, and I have tried entering codes into terminal to search for malware too any they all said theres nothing there either! I'm so confused! I've re-scanned my macbook on Sophos around 4 times and every time it said every time that I have this malware trojan.

  • thomas_r. Level 7 (30,640 points)

    Sophos should identify the infected file(s)...  what does it say is infected?  In the Quarantine Manager, select that item and look at the Threat Details section below it.  What does it say there?

  • jackmorty Level 1 (0 points)

    The only thing it says is:

    /Library/Application Support/Apple/.SafariArchive.tar.gz

  • thomas_r. Level 7 (30,640 points)

    Is that what's listed as the "Path and Filename"?  If so, that should be the file that Sophos thinks is infected.  That file is created whenever Safari is updated, and contains the previous version of Safari.  It's a perfectly normal file.


    Here's my guess as to what happened: Presumably, you must have been infected at some point, and must have given your admin account password to the malware to allow it to install itself inside of Safari.  (Without the admin password, it couldn't install itself there.)  Then, at some point, you updated Safari, and the infected version got archived in that file.  Your current version must be clean, or Sophos would have found that.


    So, though there is probably an infected file inside that archive, it's inert at this point and not affecting you at all.  However, malware isn't a good thing to leave lying around.  I've never messed around with that file, but you could try deleting it.  My guess is that it shouldn't make a difference, but that's just a guess, so here's what I recommend.  First, in the Terminal, paste in the following command (do not try to retype it!):


    sudo mv /Library/Application\ Support/Apple/.SafariArchive.tar.gz ~/Desktop/SafariArchive.tar.gz


    After pasting that command, hit return.  When asked for your password, enter it and press return, being aware that nothing will be displayed when you type.  (Note that you must be using an admin account when doing this.)


    This will move the archive from where it is onto your desktop, as well as renaming it to make it become visible.  (The period at the beginning of the name means it will be hidden in the Finder.)  It can't do you any harm there.  Now test for a while (a day or so), and if your system seems to be working fine, you can safely delete that file.


    If it becomes necessary to put it back, just do this:


    sudo mv ~/Desktop/SafariArchive.tar.gz /Library/Application\ Support/Apple/.SafariArchive.tar.gz


    Since I don't honestly know what effect removing that file might have - though I doubt it will have any, I don't know that for sure - it would be okay to leave it there, and it should be replaced with a clean version of Safari the next time there's an update.


    Edit: Could you e-mail me privately?  I'd like to get a sample of that file for testing.  You'll find my address here:


  • jackmorty Level 1 (0 points)

    Thanks so much! I deleted the file and it worked fine! no side effects as of yet!

  • thomas_r. Level 7 (30,640 points)

    Did you already delete it, or just move it to the desktop?  If you still have it on the desktop, can you contact me privately?


  • MadMacs0 Level 5 (4,700 points)

    jackmorty wrote:


    Thanks so much! I deleted the file and it worked fine! no side effects as of yet!

    Too bad, I guess it we may never know. It's clearly a file that most all of us have. It's not a complete backup, so I'm not certain what purpose it serves. How it would be identified as infected will have to remain a mystery, for now.


    Did you ever have any indication of a Flashback infection prior to this? Maybe on a different OS or Mac? The symptoms were being arbitrarily redirected to advertising sites and unexplained crashes of Safari and various other apps.

  • Th0rfinna Level 1 (0 points)

    Thank you for this post. I too was infected with this (and deleted it before I saw your post asking for a copy).


    I am running 10.6.8 and noticed issues with pages not loading in Safari (taking FOREVER) and the memory available on my MacBook fluctuating (about a gig or two) over the past few days to a week. Sophos found it but could not delete it. Sophos said I was infected with it last October 23.


    I followed the advice in your post to be able to see and delete the file. No issues at present.  I am in your debt, sir.

  • MadMacs0 Level 5 (4,700 points)

    That infection was to an older copy of Safari that had been placed in an archieve in case the installer for the new version failed. It could not have caused any harm to your computer in this form and it was OK to delete it as you won't need it in the future.

  • thomas_r. Level 7 (30,640 points)

    I am running 10.6.8 and noticed issues with pages not loading in Safari (taking FOREVER) and the memory available on my MacBook fluctuating (about a gig or two) over the past few days to a week. Sophos found it but could not delete it.


    If the infection was found in the .SafariArchive.tar.gz file, it would not have been causing the problems you describe. That file is simply an older copy of Safari, sitting inertly on the hard drive. The issues you were noticing must have been caused by something else.


    On the other hand, if the infected file was found inside your current version of Safari, it must have been there for quite a while now (Flashback hasn't been seen in the wild since at least June of last year), and I'm surprised that you didn't have problems before!

  • Kmontoya19 Level 1 (0 points)

    hi everyone,

    it looks like i have the same problem when i run shopos it says:

    /.MobileBackups/Computer/2013-06-04-080922/Volume/Library/Application Support/Apple/.SafariArchive.tar.gz

    original location: /applications/



    can i delete it?

  • MadMacs0 Level 5 (4,700 points)

    I have been scratching my head for some time now trying to understand exactly what "/.MobileBackups/Computer/...." is, other than being a hidden directory (folder). I would expect to see something like that associated with iTunes backing up an iPhone/iPad/iPod device.


    If this really is some sort of backup then using the Finder to delete the file would probably corrupt the backup index and render it useless.


    I don't recognize ".dialupmagic.xsl" but the location and format are similar to other components of the Flashback Trojan/Backdoor identified in the past.


    Your profile doesn't indicate what OS X you are using, but did you just update to 10.8.4 or Safari 6.0.5?


    I don't think I have any use for that file, but Thomas may still be interested.

Previous 1 2 Next