Download Anti Flashback Trojan for Mac - Checks for the Flashback Trojan. MacUpdate.com

Anti Flashback Trojan 2.1.1

Your rating: Now say why...

(2) 5

Checks for the Flashback Trojan. Free

Add to my Watch List
Email me when discounted

Download
979 KB
Visit Developer's Site
Moritz Wette

Anti Flashback Trojan is a free application that checks for the Flashback Trojan.

Flashback is a variant of the Tsunami Trojan for Mac OS X, and has so far infected over 600, 000 of them. Now you can check whether your Mac is infected with the Flashback-Trojan without resorting to manual removal in Terminal. For more information what Flashback does, including manual removal instructions, see the F-Secure website.

Incidentally, all my apps are free, so any donation would be very much appreciated.

What's New

Version 2.1.1:

Adds a google chrome scan (improved virus search)
Adds a download link to the apple flashback remove tool
Some minor changes

Requirements
Intel, OS X 10.5 or later

Magican AntiTr...

+5
Free

Find and remove Trojans.
Norton AntiVir...

+1
Demo $49.99

Anti-virus software.
ClamXav

+1
Free

Free virus checker, based on ...

Anti Flashback Tro... User Discussion (Write a Review)

ver. 2.x:

(2)

Your rating: Now say why...

Overall:

(8)

sort: smiles | time

Schmye-Bubbula commented on 25 Apr 2012

I can't glean from the description or from the publisher's website whether this thing will actually remove the malware, or only check for it.

[Version 2.0.4]

1 Reply

+45

Dalahast replied on 10 Jan 2013

The release notes for the latest update include adding a download link to the removal tool, so presumably it only checks. If you're infected, it'll let you know where to go to remove it.

+375

B. Jefferson Le Blanc commented on 22 Apr 2012

This app is viable if for no other reason than it works on OS X 10.5. Apple has stopped supporting OS versions before Snow Leopard so there's no Java update for Leopard users. They might appreciate a tool that can check their systems for infection. Indeed, so might Tiger users. That said, they would all be well advised in the now riskier climate for Mac security to install an app like ClamXav that still supports older Macs.

[Version 2.0.3]

1 Reply

+659

Cowicide replied on 10 Jan 2013

Beware of relying solely on ClamXav, though. I've tested more than a few trojans with it and it didn't detect them. ClamXav is great, but I never rely on it alone.

+237

Jazzica commented on 22 Apr 2012

I was using Dreamweaver on my Mac about 2 weeks ago. A very suspicious window closely resembling but not exactly like the flash installer popped up and said I was running an old version of flash and needed to update it. It directed me to enter my password, not giving me a choice. I refused. I restarted and no more installer.

My flash version was not only up-to-date. It was a an advanced beta version. This has not happened since. I'd steer clear of scripts offering to delete this 'virus' since Mac has put out a very effective Java fix, and since this bug is supposedly very hard to remove. I would NOT click "update" on any flash installer that appears out of nowhere ordering you to install a version not listed on Adobe's web site. If it's not on Adobe's download page, it's fake.

[Version 2.0.3]

-72

LizBo commented on 16 Apr 2012

I have serious doubts about the credibility of the people claiming this trojan infected 600,000 Mac computers. I think the numbers are a outright lie and exaggerated to scare people into buying AV software. I was not infected, none of my friends or family were infected. And none of the 10,000+ worldwide clients the company I work for had a single reported infection.

[Version 2.0.2]

1 Reply

-1

-339

Acuraice replied on 22 Apr 2012

why not?? my imac was found to be infected!! so im am definitely one of the 600,000, probably more!! not sure how it happened but apple's java update said it was infected and removed it. heard online that a fake adooe flash installer was the culprit, though i always get my flash updates from adobe's site.My imac is very secure with vpns,espionage,file vault,security spy,etc. I secure delete everything,make fresh TM backups faithfully,repair with various tools including diskwarrior 4.4,disk utility,cleanmymac,macscan and virus barrier. All always come out clean except for this flashback infection. Could happen to anyone.

+192

Mysticalos commented on 16 Apr 2012

apples tool is out now

http://www.macupdate.com/app/mac/42634/flashback-malware-removal-tool

[Version 2.0.2]

1 Reply

+242

RavenNevermore replied on 23 Apr 2012

Note that it's only for Lion users without java installed.

-1

+152

Beamy commented on 11 Apr 2012

You may also try the Kaspersky Flashfake Trojan removal tool :

info:
http://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_checking_site

Download:
http://support.kaspersky.com/downloads/utils/flashfake_removal_tool.zip

:)

[Version 1.0.2]

1 Reply

Alvarnell replied on 11 Apr 2012

Had two users today get locked out of their accout using Kaspersky's script. They were also using the wrong reference. I left them a couple of notes on this.

F-secure also posted their tool moments ago. Looks promising, but time will tell.

Apple promises us something RSN...

+21

Strych9 commented on 11 Apr 2012

Reports need to clean but Fsecure defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES reports nothing...
Thanks a lot anyway for your help.

[Version 1.0.2]

+22

Tareed reviewed on 10 Apr 2012

Be cautious of relying on scripts like this one. It is based on instructions for a specific variant from F-Secure, which do not work for all variants. It would be better to rely on some good anti-virus software, like Sophos Anti-Virus for Mac Home Edition or ClamXav, both of which are completely free, with no subscriptions or time limitations. And no, I'm not associated with either product.

[Version 1.0.2]

1 Reply

+162

Donmontalvo replied on 11 Apr 2012

Ya, this is one of the reasons the antivirus/malware companies are behind the curve on this one.

Alvarnell reviewed on 10 Apr 2012

All references to the F-Secure document for cleaning this malware are out-of-date. The correct one for removing the current variant that has supposedly infected over 600,000 Macs is http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which has been out for over a week now.

[Version 1.0.2]

1 Reply

Moritz Wette (developer) replied on 11 Apr 2012

Fixed and updated in version 2.0! :)

+36

Simbasounds reviewed on 09 Apr 2012

This may not be the most sophisticated software, but the developer has responded quickly and provided it for free (so far there's nothing else on MacUpdate - their review process is somewhat quirky.)

I checked the script and it's not a trojan installer as one user suggested.

See for yourself:

--
-- Anti Flashback-Trojan
--
-- Created by Moritz Wette on 06.04.12.
-- Copyright 2012 Moritz Wette. All rights reserved.
--

on scan1()
try
set command to do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment"
--set output to words of (do shell script command)
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan1
on scan2()
try
do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES "
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan2
on scan3()
try
do shell script "defaults read /Applications/Firefox.app/Contents/Info LSEnvironment"
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan3
on scan4()
try
do shell script "defaults read /Applications/Google Chrome.app/Contents/Info LSEnvironment"
return true
on error errmsg
if (errmsg contains "does not exist") then return false
end try
end scan4

(*on remove1()
try
do shell script "grep -a -o '__ldpath__[ -~]*' " + scan1_return
on error errmsg
display dialog errmsg
end try
try
do shell script "sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment"
on error errmsg
display dialog errmsg
end try
try
do shell script "sudo chmod 644 /Applications/Safari.app/Contents/Info.plist"
on error errmsg
display dialog errmsg
end try
end remove1*)
(*on remove2()
try
do shell script "grep -a -o '__ldpath__[ -~]*' %path_obtained_in_step9%"
on error errmsg
display dialog errmsg
end try
try
do shell script "defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES"
on error errmsg
display dialog errmsg
end try
try
do shell script "launchctl unsetenv DYLD_INSERT_LIBRARIES"
on error errmsg
display dialog errmsg
end try
end remove2*)

on run
set f to 0
scan1()
if (scan1() = true) then set f to f + 1
scan2()
if (scan2() = true) then set f to f + 1
scan3()
if (scan1() = true) then set f to f + 1
scan4()
if (scan2() = true) then set f to f + 1

if (f > 0) then
set temp to display dialog "Your computer is infected!" with icon 0 buttons {"Okay"}
if (button returned of result = "Remove The Flashback-Trojan") then
--if (scan1() = true) then remove1()
--if (scan2() = true) then remove2()
--display dialog "Your computer should be clean now!"
--open location "http://www.moritzwette.com/donate"
end if
else
display dialog "Your computer may be clean!"
open location "http://www.moritzwette.com/donate"
end if

end run

[Version 1.0.1]

4 Replies

Moritz Wette (developer) replied on 09 Apr 2012

Yes the script check whether your infected or not. I excluded ((**) and --) all the remove operations because the function is disabled at the moment. I need a infected computer where I can create a useful applescript automation basing the steps at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml!

+36

Simbasounds replied on 09 Apr 2012

Thanks Moritz :) i just posted that there so people could see that your software isn't a Flashback installer. I'm surprised there aren't more developers issuing remove tools for this trojan - it just seems to be you. Well done, and thanks. I'm busy compiling a kit with instructions for checking and then securing non-infected systems. I'll post a link here when it's ready in the next hour hopefully.

+87

WordWeaver replied on 09 Apr 2012

In looking at the actual contents of this script, I think that it is important to point out that this script may only work IF you have your web browser set to its default name. In other words, for example, if you are using Safari, and your web browser's file name is Safari.app -- it doesn't matter if the extension is invisible or not, I believe -- the script will work. However, if you are in the habit of adding version numbers to your apps -- such as Safari 5.1.5.app -- I suspect that the script may throw an error, or simply not work at all. Please note that I have not used this script, being as I already followed the manual route a few days ago, so I am just going by what I see in the script's actual code. Perhaps someone else can verify -- or refute -- what I have stated here.

-1

Moritz Wette (developer) replied on 10 Apr 2012

@WordWeaver Thanks for the information! This might be a good idea. I will check it in the next days and fix it if it's possible.