Flashback Trojan - I still think I have it.

I realised I had the flashback trojan today as when I right-clicked the desktop, some numbers came up instead of the actual options (like N169.3 or something) and so I set off to try and remove it myself. And I am really bad at this stuff.
I managed to delete the enivronment.plist file (or at least I believe I did), and after restarting my computer the numbers went away and when I right-clicked it was normal. However, I was still feeling uneasy about it, so I went to terminal and typed in ls /Users/Shared.*.so and /Users/Shared.MailWashervXX.so came up.
I'm supposing that's a bad thing and I don't really know what to do now. Help?

Probably is.  I don't recognize the name.  But you deleted the environment.plist so it cannot be tracked back for sure.
One thing about anything in /Users/Shared though.  If something is there torjan or valid app put it there.  And it won't be too serious if you delete it.  A valid app (properly written) will put it back if it needs it.  Otherwise, who cares.  Just trash it.
As for whehter you extracted all of the trojan code or not, well, here's a quote of the current recommendations on how to handle this (which I am quoting from other posts on this subject):
Courtesy of Linc Davis:
You installed a variant of what’s commonly called the “Flashback” malware, although the name is obsolete.
If you’re absolutely sure you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.
How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.
If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. I suggest you take the following steps immediately:
1. Back up all data to at least two different devices, if you haven't already done so.
2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.
3. Install the Mac OS.
4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.
5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.
6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if they’re visible in the Finder, and then only if you’re absolutely sure you know what they are and they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.
7. Launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of recurring security issues, the Java web plugin must be considered unsafe to use. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) Very few websites have legitimate Java content nowadays. If you encounter one that does, and you think you can trust it, enable Java temporarily. Do this only if you know how to check for a malware infection immediately afterwards. If you’re not sure whether you know how to check, you don’t know how. Don’t rely on any kind of “anti-virus” software for protection.
8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.
9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.
10. If you use any third-party web browsers, disable Java in their preferences, as you did with Safari in step 7.
More information about Flashback can be found by searching this site, or the Web.

Similar Messages

  • My Mac still thinks I have MobileMe

    I'm running 10.7.4, and I'm trying to enable iCloud on my Mac to work with my iPhone.  When I click on iCloud in Preferences, I'm prompted to convert my MobileMe account to iCloud, which I can't do because it's no longer available.  How do I bypass this on my Mac, so I can set up iCloud sharing in iTunes and iPhoto?  Those apps still think I'm working with MobileMe.

    Have you migrated to iCloud yet ... if you have not it is too late to do so. Sign out of Mobie Me and open a new iCloud account.

  • I have an iMac running OS 10.4.11. How can I check to see if I have the Flashback Trojan (and remove it, if I have it)? IMy Safari is also crashing frequently. Any suggestions?

    I have an iMac running OS 10.4.11. How can I check to see if I have the Flashback Trojan (and remove it, if I have it)? IMy Safari is also crashing frequently. Any suggestions?

    Hi Barry, is this an Intel iMac, or a PPC iMac?
    Disable Java in your Browser settings, not JavaScript.
    http://support.apple.com/kb/HT5241?viewlocale=en_US
    http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
    http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
    Flashback - Detect and remove the uprising Mac OS X Trojan...
    http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
    In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
    /Library/Little Snitch
    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
    /Applications/VirusBarrier X6.app
    /Applications/iAntiVirus/iAntiVirus.app
    /Applications/avast!.app
    /Applications/ClamXav.app
    /Applications/HTTPScoop.app
    /Applications/Packet Peeper.app
    If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
    http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
    http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
    The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
    https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site
    More bad news...
    https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link
    Removal for 10.5...
    http://support.apple.com/kb/DL1534

  • I used my iphone to send a message in French. I have changed the settings back to English but when I send a text or write a message it still thinks I am typing in French. Any suggestions?

    Any thoughts on how to resolve the above ? Namely I went into settings changed the language to French. Sent a message to soemone in France in French. Went back to settings selected British English. Reset the phone into English, But it still thinks it is 'French' when sending a message or text. Have gone back to settings tried to reset the keyboard to original factory settings. No joy. Switched the phone on and off. No joy, It still assumes it is French when sending a text or email even though the settings are all set for English. Any suggestions on  how to resolve tbis ???

    Amazing response. Unbelievably fast. Totally helpful. Totally
    accurate.
    A thousand thanks
    Damian

  • What can I safely recover from Time Machine if I have the Flashback Trojan?

    I have recently found out that my iMac has been infected with the Flashback trojan.  I followed the commands from F-Secure to remove it from my computer however I'm not happy with this solution.  I am going to erase my hard drive and re-install the operating system.  I would then like to restore some of my folders using Time Machine.  However, before I do any of that I would like to know if it's safe to restore from my Home folder the following folders; Movies, Music, and Pictures.  Also, is it safe to recover databases from Address Book and iCal, and accounts from Mail and bookmarks from Safari?
    I apologize if this question is in the wrong category and I would like to thank anyone in advance that may be able to help, as it's much appreciated!

    Plug an external drive into the computer and use that to expand data onto.
    http://pondini.org/TM/16.html

  • I now have husband's old phone, but it still thinks it's his. how do i get it to recognise me? thanks

    I now have my husband's iphone as he has upgraded, but it still thinks it's his, hoe do I get it to recognise me, my contacts etc? Much appreciated if you can help me turned

    settings - general - reset - erase all contents and settings - this will wipe the phone clean as new.
    Then you set up using yoru info.

  • I keep getting Alarm popups saying that it cannot send msg using the server null. I think I have disabled email (I use Gmail) and the calendar however I still get these popups and I can't close them?

    I keep getting Alarm popups saying that it cannot send msg using the server null.
    I think I have disabled email (I use Gmail) and the calendar however I still get these popups and I can't close them?
    How can I disable the Alarm popups?
    Thanks
    Brian

    OS X Mail: Troubleshooting sending and receiving email messages - Apple Support
    Google Mail recently implemented additional security measures "for your protection" of course. The manifestation of that may be the requirement to create a unique, "application-specific" password for each one of the various Google services you may use. That requirement probably includes Google Mail. So if the above Apple Support document doesn't resolve the problem, research Google's application-specific password requirements, and how to configure Mail to use it.
    I asked the Hosts to edit or obscure the email address in your post.

  • HT5271 I can no longer use Pandora because I get a message saying download adobe 10.1 or later. I think I have a later version, 11.?, which I have downloaded. but I still get the message and can't play Pandora.

    I can no longer use Pandora because I get a message saying download adobe flash 10.1 or later. I think I have a later version, 11.?, which I have downloaded. but I still get the message and can't play Pandora.
    How do I determine that in fact I have the appropriate version of adobe flash to run Pandora.

    How do I determine that in fact I have the appropriate version of adobe flash
    Open the Finder. From the Finder menu bar click Go > Go to Folder
    Type this exactly as you see it here;
    /Library/Internet Plug-Ins
    Click Go
    Then right or control click the Flash Player.plugin then click Get Info
    The version number is noted there.
    Assuming you are using Safari ...
    Check Safari > Preferences > Security
    Make sure:  Enable plug-ins is enabled.
    Sometimes uninstalling the currently installed Flash plugin then reinstaliing new can help > Troubleshoot Flash Player | Mac OS
    If you have the ClickToFlash extension installed, that can prevent Flash based video / audio from streaming. It can also be installed as a plugin in /Library/Internet-Plug-Ins.
    And check to see if Safari is running in 32 bit mode. Right or control click the Safari icon in your Applications folder then click Get Info. If the box next to:  Open in 32 bit mode  is selected, deselect, quit then relaunch Safari.
    edited by:  cs

  • HELP! I had a Flashback Trojan/Malware on my Mac, I deleted it in trash, and now my Mac won't start.

    At first my Mac Finder showed n81, n82, etc when you right-click it, instead of the commands " open new finder window", "hide" etc. I also noticed that sometimes, when I would go to sites such as facebook, it would redirect to a different site and I'd have to type in the address again to get to the site. Nothing else was wrong with it. Safari was not shutting down. It wasn't slow.
    I did some research and found that I probably have the Flashback Trojan/Malware virus (whatever that is?) And so I followed what some people did (which got their mac fixed) .. I downloaded clamvax and tinkertool to find the malware (hidden files) and I deleted it in trash.. my computer seemed fine but when I restarted it, it wont turn on anymore.. the screen remains blue, the mouse could still be moved, but it stays that way..
    did I lose all my files? am I being hacked as we speak? Is this virus very dangerous?! I am very paranoid and know nothing about this kind of stuff so please help!
    BTW, the malware was from the game Farm Frenzy.. I have no idea how I got this... I never play online games.

    @Thomas, Thanks for jumping in. I had to take my wife to a Doctor appointment and things went down hill from there.
    I note that you are using Mac OS X 10.5.x.  It's important to understand that the Java vulnerabilities that allowed this malware to get established on your machine cannot be fixed in 10.5.x.  You would need to upgrade to at least 10.6 (Snow Leopard) to be able to get a version of Java with those vulnerabilities fixed.  (Correct me if I'm wrong there, Al!)
    That's 100% correct. Natalia has the distinction of being the first OS X 10.5 user confirmed to be infected by Flashback as far as I can tell. That operating system is becoming increasingly dangerous as the days go by. The OS has not been updated since Aug 2009 and the last Security and Java updates were in June 2011. There is no XProtect system and more and more third party's have dropped support in updating their Applications.
    Natalia_ wrote:
    I actually ran disk utility, and it said that the Macintosh HD is fine... I also tried safe mode/safe boot and did the FSCK command.. even that said that my laptop was fine? but somehow it still stays blue when I start up!
    And I think it probably is fine, except that something is hanging during the initial loading process. Could be most anything.
    As for my files, I appreciate your advice but I am scared I might do something wrong and mess my laptop up even more!
    There is almost no chance of that and at this point it should be obvious to you that if the files on your laptop are that important, you should already have a backup.
    I will take it to Apple and hopefully they can help me... because it seems that my files aren't wiped out... yet... It still displayed that I had my files in there..
    One word of caution, then. I have been told that Apple has instructed their support folks not to attempt to clean up a malware infection. If I were you I wouldn't bring it up unless you have to.
    By the way, while the disk was running, it was making very loud noises.. humming/grinding/etc... what could this mean?
    Only one thing in my experience, you're hard drive is toast. All the more reason to try and get all the data you can off it immediately.
    The only way to test it is to do a surface scan which Disk Utility cannot do. You would need a third party utility to do that. If it tells you there are bad sectors, that is 100% proof that it's going bad, as modern hard drives repair themselves of bad sectors until they run out of reserves to substitute.

  • How deal with FLASHBACK trojan?

    Hey folks!
    I updated Adobe Flash player a few days ago (the update popped up - I did not search for it) and I think I may have installed the "Flashback" trojan 'cuz I did the update in a hurry. Is there any way to find out if the trojan has found it's way in to the computer or is a format and reinstallation of the OS necessary? Thanks!!!

    woofmatix wrote:
     So I guess if that file ain't there, the Trojan has not entered the system right?
    Don't assume anything, run a scan using ClamXav and if your Apple Software Update works you can pretty much be rest assured you don't have it.
    Also I would like to know if this comes as an update or just an installer.
    It's a trojan installer on hostile web sites.
    If you look at your Adobe Flash System Preference pane it's got it's own system to check with Adobe and verify the download. The confusion happens because there is a pop-up when one visits a web page and their Flash is outdated.
    I always download my Flash here
    http://get.adobe.com/flashplayer/
    If your still concerned you can peform a
    Restoring OS X 10.5 10.6. 10.7 - simple overwrite OS method
    https://discussions.apple.com/message/16276201#16276201
    That will flush anything out of OS X, but you still need to clean up Applications and Users folders.

  • I think I have a virus/spyware/adware???

    Hello!
    Last week while I was on www.google.com searching images, my Safari download manager popped up and began downloading "soft_58s7.exe". I immediately deleted it and assumed that I had clicked on an image that took me to a link that gave me a virus. I continued on using google, and when searching something completely different the download occurred again, and again. Each time I deleted the file from my computer by locating it in Finder and dragging it to the trash.
    However, not I get random pop-ups everyone once in awhile while using sites that I know do not have pop-ups (Google search, aol.com, facebook). So I think I have a virus.
    I also tried to download ProtectMac Antivirus, but it tells me that it cannot be downloaded because there is another antivirus software on my computer that it is not compatible with. I checked my applications and there was an app called "VirusProtect", which I drug to the trash as well. However I still received this message that ProtectMac could not be installed because of another antivirus application. I believe that I either did not uninstall VirusProtect correctly, which I need help doing because the icon is no longer there, or this is also an effect of the virus.
    Please help!!
    Im on a MacBook, running OS X 10 .5.8
    Thank you!
    I think this is also an effect of the virus because I have no virus protection on my com

    .exe files are Windows executables that do not run on Macs, and simply downloading one will not give you a virus. Random pop-ups in your browser may occur but as long as you dismiss them there should nothing of concern.
    You cannot delete virus protection software by dragging it to the Trash. You must use the appropriate uninstaller that is included with the software.
    Also see:
    Do You Need Anti-Virus Protection for Your Mac?
    According to Rich Mogull's article, Should Mac Users Run Antivirus Software?,
    "The reality is that today the Mac platform is relatively safe. There are hundreds of thousands of viruses and other malicious software programs floating around for Windows, but less than 200 are known to target the Mac, and many of those are aimed at versions of the Mac OS prior to Mac OS X (and thus have no effect on a modern Mac).
    It's not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it's far more profitable to target the most dominant platform."
    Mr. Mogull is a computer security expert. I recommend reading the entire article as it is quite informative.
    For additional information on viruses, trojans, and spyware visit The XLab FAQs and read the FAQs on viruses and spyware.

  • How dangerous is Flashback Trojan and how do I protect my iMac with OSX 10,6?

    I just recently updated to 10.6.3 which, as far as I know does not have built-in protection from stuff like Flashback Trojan.  When I click on "Software Update" all I get is an inactive, blank screen.  I was told that if I clicked on that I would be able to download Apple's patch preventing this from infecting my iMac.  HELP!

    Download and apply the latest Combo updater for OS X 10.6: http://support.apple.com/kb/DL1399
    After doing this, try using Software Update again to ensure everything is up to date. If it still doesnt work, then at least do the following:
    1. Open the program "Java Preferences" in the Utilities folder.
    2. If it gives you a warning about needing to install Java, click Not Now and stop (you're done).
    3. If it opens without giving you any warnings, then download and apply this update: http://support.apple.com/kb/DL1516
    Doing this will update your system and patch the Java vulnerability that allows this hack to happen.

  • HT5228 How to find out if your Mac has the Flashback Trojan EASY WAY!!!!

    http://www.cnn.com/2012/04/06/tech/web/mac-flashback-trojan-check/index.html
    Just did it works great and they also have a post on how to remove it as well.

    Here is an even easier way, it will remove most infections too:
    I have created a user tip and malware checker/removal tool: https://discussions.apple.com/docs/DOC-3271

  • I've just purchased a new 2014 15" MacBookPro to replace my much missed 17" MBP. I got the works: OS 10.9.4, 2.8GHz Intel i7, 16GB memory and a 1 TB SSD, but despite the expense, I still don't have a computer that works...  The problem is that every

    I've just purchased a new 2014 15" MacBookPro to replace my much missed 17" MBP. I got the works: OS 10.9.4, 2.8GHz Intel i7, 16GB memory and a 1 TB SSD, but despite the expense, I still don't have a computer that works...
    The problem is that every time I try to open any program from Office 2011, I immediately get the following window, for example for Word: "Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience." This happens each and every time I try to open Word or other Office 2011 component.
    Thinking it might be a licensing issue, I purchased and downloaded a new copy of Office 2011 from Amazon and installed it on my new MBP. Same issue once again.
    I tried to remove all copies of Office 2011 from the MBP, but the instructions provided by Microsoft required about three page and seventeen steps and the page was somehow corrupted and would not print in its entirety, nor would it e-mail as anything other than a link to the corrupted page. Not trusting my memory, I decided not to try this without adult supervision.
    I used Disk Utility to repair Disk Permissions, as described on an existing thread regarding the same problem, but to no avail.
    I removed and later replaced the "Microsoft User Data" folder from the Documents folder, but that was no help.
    I have copied the short version of the "Microsoft Error Reporting log version: 2.0," below, for those of you with a deeper knowledge of the internal workings, or non-workings of things Mac when crossed with things MS.
    Error Signature:
    Exception: EXC_BAD_ACCESS
    Date/Time: 2014-08-28 03:31:31 +0000
    Application Name: Microsoft Word
    Application Bundle ID: com.microsoft.Word
    Application Signature: MSWD
    Application Version: 14.4.3.140616
    Crashed Module Name: CoreFoundation
    Crashed Module Version: 855.17
    Crashed Module Offset: 0x00018442
    Blame Module Name: MicrosoftOleo
    Blame Module Version: 14.4.3.140616
    Blame Module Offset: 0x000017f3
    Application LCID: 1033
    Extra app info: Reg=en Loc=0x0409
    Crashed thread: 0
    Surely others have encountered and solved this same problem, and I'm hoping they can help me do the same. I don't know if this is a known issue or simply a matter of my having bumbled naively through a process far more complex than I was led to believe.

    http://www.microsoft.com/mac/support
    http://answers.microsoft.com/en-us/mac/forum/macword?auth=1
    http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macword/microsoft-wor d-for-mac-2011-will-not-open-error/ecc42616-6f49-40bb-b8f5-e21c711ea359

  • How can i fix flashback trojan in my ipad thx

    hi all safari and other apps like chrome and mercury etc have been crashing unexpectadely how can i fix that , i updated i pad and said no more update , pls advise , i read all the messages seems that there is something called flash back trojan how do i remove it
    thx all

    It is not possible for an iPad to contract the Flashback trojan since the iPad cannot run Java. Try the usual steps: restart, reset, restore.
    http://support.apple.com/kb/HT1430
    http://support.apple.com/kb/HT1414
    If you try restoring from a backup and that doesn't fix the problem, try restoring to factory settings and synching your apps. You'll lose the app data and settings, but if the problem is due to a corrupt cache or settings file, that should cure it.
    Regards.

Maybe you are looking for

  • Attachment open problem in Internet Explorer

    It's a very strange and annoying issue that we already have for several months and still don't now how to work around it. Problem appears on opening attached files via the attachment tab. Sometimes all going well but sometimes we get errors like "IE

  • Blackmail

    I have been scammed and BLACKMAILED by a girl claiming to be from London she starts talking to me on facebook asking about my life and proceeds to ask for video sex. she was of consentual age according to her skpe profile info, her profile saying bir

  • Safari crashing non-stop on my 2011 iMac. See crash log. A little help?

    Never had crash problems with my 2011 iMac (w/Mavericks) before this week. All of a sudden, Safari 7.0.1 crashes every 10 minutes, sometimes Firefox, occcasionally Finder. Also, never had problems with YouTube videos, but now I keep getting 'Can't Fi

  • Mail Adapters

    I am new in XI. I was trying to send the IDOC data into mail using mail adapter. I have imported the CREMAS04 idoc in IR. Made data type messege type , messege interfaces, messege mapping , and interface mapping. I gave created SC , Technical system,

  • Safari not playing embedded midi music clips

    I recently noticed that embedded midi music clips in Apple Mail and in Safari do not play. Basically, I am referring to background music one often hears while going to some web sites. Particularly those individual web sites folks have created. Of cou