so my question is what do i do if i find that my mac was infected with the recent version of the flashback malware using avast anti-virus protection. but when i downloaded and installed apples flashback malware remover tool i did not receive any notification that my mac was infected all. ps i will be rerunning the scan again using avira anti-virus for mac, due to the fact that avast is confusing to use.
MacBook Pro (13-inch Mid 2010), Mac OS X (10.7.5)
Welcome to the Apple Support Communities
If the Flashback Malware Remover Tool doesn't say anything, probably you don't have Flashback. Anyway, Avast has got a lot of "false positives", so try with ClamXav or Sophos just to make sure that you don't have the malware
would it be fine if i used avira to check, ive looked at avira and seen reviews for it, and so far it seems to have a positive feed back
ClamXav and Sophos are the only antiviruses recommended on OS X, if you have to use one
ohhh ok thats something i didnt know, thank you very much
If you want to learn more about OS X and antiviruses, see > http://www.reedcorner.net/mmg
You are welcome
thermitefist wrote:
would it be fine if i used avira to check, ive looked at avira and seen reviews for it, and so far it seems to have a positive feed back
Where did you find a review for the Mac version. I know their Windows software has always had a good reputation, but I haven't been able to locate an independent, comparative review of it yet.
I would also be interested in the file that Avast found. Can you upload it to VirusTotal to see if any other scanners detected it as malware?
on honestly i cant remember where i found it, sorry, and i deleted avast and avira in favor of saphos which alot easier to use. After scanning with sophos it found 5 threats 4 of which i was easily able to clean up and get ride of, but now my only problem is that when i try to do a custom scan so i can get ride of the 5th one (because i have to do it manualy) i cant find the file anywhere. i did make sure to not the file and path name, and even tried the "command-shift-." thing and still got nowhere. and im pretty sure that this 5th threat is that same trojan that avast picked up earlier, which is weird because earlier i install apples flashback malware removal tool and got nothing from it. heres the link that sophos has info on http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OS X~Flshplyr-E.aspx please help because by the looks of it, this trojan is bad.
thermitefist wrote:
heres the link that sophos has info on http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OS X~Flshplyr-E.aspx please help because by the looks of it, this trojan is bad.
Well, that would certainly seem to confirm you have something there left over from a Flashback variant. The good news is that most A-V labs consider Flashback to be extinct and it's communications server has not been heard from for many months, so I don't see it as a threat, but it could be causing other problems for you so I agree that it's time to get rid of it. If you can let me know the path I can certainly try to help you with that.
or
Sophos shows a technical solution for manual removal at the bottom of "New to Sophos - what is actually running?". It's a long process and may not be something you want to tackle unless you are comfortable using the Terminal app.
or
Since the Apple removal tool seems to have missed it, I recommend trying F-Secure's Flashback Removal Tool which has worked well in the past.
ok ill try the F-secures removal tool. and the file name and path are /Library/Application Support/Apple/.SafariArchive.tar.gz and i couldnt find anything there. i also looked in the original file that it infected which is /Applications/Safari.app/Contents/Resources/.MacareanOfTime.xsl and there was nothing there either
ok so i just tried F-secures removal tool and they didnt find anything what now?
thermitefist wrote:
ok ill try the F-secures removal tool. and the file name and path are /Library/Application Support/Apple/.SafariArchive.tar.gz and i couldnt find anything there.
That is an invisible file that is left over from updating Safari and of no danger to anybody. It's put there in case anything goes wrong with the update so that the installer can revert back to the older version. All it means is that Safari was, at one point, infected by the Flashback Trojan, but was rendered harmless when you replaced it. You may have experienced some Safari crashes at the time as early versions were buggy in that respect. I would have thought that the installer would delete it upon successful installation, but I see that I have one, as well.
It's not really necessary, but there are a couple of ways to get rid of it.
You can make invisible files visible temporarily which will allow you to find and trash the file and then make them invisible again (unless you would like to leave them that way). Several third party utilities will do this for you or there are terminal commands available in this article http://www.mikesel.info/show-hidden-files-mac-os-x-10-7-lion/.
Or you could just delete it by opening the Terminal app (found in /Applications/Utilities/) then copy and paste the following command into the window after the "$ " prompt:
rm -f /Library/Application\ Support/Apple/.SafariArchive.tar.gz
followed by the return key.
The only confirmation you will get if it works is the return of the "$ " prompt. If it fails it will give you an error message.
i also looked in the original file that it infected which is /Applications/Safari.app/Contents/Resources/.MacareanOfTime.xsl and there was nothing there either
I'll have to think and look into this a bit more.
thermitefist wrote:
ok so i just tried F-secures removal tool and they didnt find anything
Yes, now that I know where it is that makes sense. It only looks in the current version of Safari, not the older one. I'm sure the same is true for the Apple removal tool.
Just follow one of the instructions I just posted or ignore it.
well that would make sense as to why it cant be found or removed and ill probably just do the terminal option. much thnx 🙂
Flashback malware.....
