Is my Mac infected with the Flashback trojan?

security malware

Solution 1:

You can follow these instructions from F-Secure to uninstall/remove the malware:

  1. Run the following command in Terminal: 

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

  2. Take note of the value, DYLD_INSERT_LIBRARIES

  3. Proceed to step 8 if you got the following error message:

    "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist"

  4. Otherwise, run the following command in Terminal: 

    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step2%

  5. Take note of the value after "__ldpath__"

  6. Run the following commands in Terminal (first make sure there is only one entry, from step 2): 

    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment`

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist`

  7. Delete the files obtained in steps 2 and 5

  8. Run the following command in Terminal: 

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

  9. Take note of the result. Your system is already clean of this variant if you got an error message similar to the following: 

    "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist"

  10. Otherwise, run the following command in Terminal: 

    grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%

  11. Take note of the value after "__ldpath__"

  12. Run the following commands in Terminal: 

    defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

launchctl unsetenv DYLD_INSERT_LIBRARIES

  13. Finally, delete the files obtained in steps 9 and 11.

Update:

Apple has released an official tool for uninstalling the malware. Read about it and download it on this Apple KB page.

F-Secure has also released a removal tool, which you can download here.

Solution 2:

Flashback Checker

This is for your relatives and friends that want to avoid using the Terminal.

Download this free app from Github. As referenced in this Macworld article, the single-function app will quickly check your machine for the infection. The app doesn't remove the malware, which will be left up to the user by manually following the instructions from F-secure.

enter image description here

Solution 3:

Kaspersky's removal tool

...checks if your Mac is affected and removes the trojan if necessary. You can download it on
http://support.kaspersky.com/downloads/utils/flashfake_removal_tool.zip

enter image description here

Check online using your UUID

You can check if you Mac is affected using your UUID (Universally unique identifier) on http://flashbackcheck.com/

  1. Go to:

     /Applications/Utilites/System Information.app

    enter image description here

  2. Check the UUID on http://flashbackcheck.com/

Related

Macbook pro stuck on 'About a second remaining' for an hour
What does a .dmg verify?
How to get iMessages to sync across an iPhone, iPad and Mac automatically?
Why must I source .bashrc every time I open terminal for aliases to work? [duplicate]
How do configure Skype For Business to not start when macOS starts? [duplicate]
Which Intel "generation" is my Mac's CPU?
Disable full screen system wide on OS X 10.9.5
How does Toad predict the winner?
How do I kill a powerful player without PVP?
Primary / secondary Switch accounts
What order is needed to get the highest level enchantments on Diamond Armor in Minecraft without reaching "Too Expensive!"?
Server not starting. "Cannot invoke "aag.f()"