Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

2 infections in Adobe Flashplayer download


  • Please log in to reply
10 replies to this topic

#1 Twin B

Twin B

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 04 January 2017 - 01:05 PM

Just an FYI: my iMac began having a problem opening files that I presume use the flashplayer. I downloaded Avast Mac Security 2016 and scanned the machine. The two infections were contained in downloads/adobe_flashplayer_e2c7b_setup.dmg; the installer app was the location. 

 

This is only the third infection I've had (that I know about) since I bought my machine in 2009. Compared to my previous experiences with Windows machines, I think that's a pretty good track record. Still, if someone says a Mac doesn't get infections they're wrong. 


Edited by Twin B, 04 January 2017 - 05:00 PM.

I've learned blood is not thicker than money. 

 


BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:04 PM

Posted 06 January 2017 - 03:40 PM

Just an FYI: my iMac began having a problem opening files that I presume use the flashplayer. I downloaded Avast Mac Security 2016 and scanned the machine. The two infections were contained in downloads/adobe_flashplayer_e2c7b_setup.dmg; the installer app was the location. 
 
This is only the third infection I've had (that I know about) since I bought my machine in 2009. Compared to my previous experiences with Windows machines, I think that's a pretty good track record. Still, if someone says a Mac doesn't get infections they're wrong.


Are you sure you got the Flash DMG from the Adobe site? The reason I ask is that all the Flash DMG download files I have on my computer have the filename start with "AdobeFlashPlayer" with no underscore (i.e. no "_") between the "adobe" and "flashplayer" and all "first" letters capitalized. Now, I will admit that the oldest Flash DMG that I have on this machine is from 2014, so it is possible that they did use a different naming system for older versions.

#3 dante12

dante12

  • Members
  • 193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 06 January 2017 - 08:27 PM

I think you have downloaded the Installer from malicious or download site? The real filename for Adobe Flash is similar like this: install_flash_player_osx_(Pappi or Nappi).dmg.

 

1. Please download Malwarebytes Anti-Malware for Mac

2. Open the DMG file, move the app to your program files and start it.

3. Click on Scan. Malware files that be found will be deleted. Restart if needed.

4. Go to the menu bar from mbam and choose from the menu Scanner -> Take System snapshot.

5. Copy and insert the content here.



#4 Twin B

Twin B
  • Topic Starter

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 06 January 2017 - 11:00 PM

I'm not sure what to make of it or where I got it from. I usually get a message from Adobe that an update is available & I click on their link to download it. Maybe the infection came in from another site and installed itself in the downloads, but wouldn't I have to click on the installer to install it or could it install itself without me doing anything? The last download I have in my 'downloads' list is named Install_flash_player_osx-10.dmg at 18.0 MB. The one before that is Install_flash_player_osx.dmg at 17.0 MB. 

 

Dante, I can't use MBAM because my system is 10.6.8 and they don't support that version anymore. But I do have Etrecheck if you want me to try that to get more information. 

 

It's kind of a puzzling head scratcher but Avast did find it & isolated it. 


I've learned blood is not thicker than money. 

 


#5 dante12

dante12

  • Members
  • 193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 07 January 2017 - 12:15 AM

Try DetectX there is an older version (description on the page). If you have any question please post here. 

Click on the Search button for searching for malware.

To view the log click at the slider on the left side so that the triangle shows in the middle. Click on the copy button and post the log here.

You can also post an EtreCheck log.


Edited by dante12, 07 January 2017 - 12:15 AM.


#6 Twin B

Twin B
  • Topic Starter

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 07 January 2017 - 12:37 PM

OK, Etre found one file unknown to Etre, which was this:

 

 

Unknown Files:

/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist~orig

/usr/sbin/AppleFileServer

One unknown file found. [Check files]

 

Here's the report:

 

 

EtreCheck version: 3.0.6 (315)

Report generated 2017-01-07 10:17:38

Download EtreCheck from https://etrecheck.com

Runtime 1:45

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Problem: No problem - just checking

Hardware Information:

iMac (24-inch, Early 2009)

[Technical Specifications] - [User Guide] - [Warranty & Service]

iMac - model: iMac9,1

1 3.06 GHz Intel Core 2 Duo CPU: 2-core

4 GB RAM

BANK 0/DIMM0

2 GB DDR3 1067 MHz ok

BANK 1/DIMM0

2 GB DDR3 1067 MHz ok

Bluetooth: Old - Handoff/Airdrop2 not supported

Wireless: en1: 802.11 a/b/g/n

Video Information:

NVIDIA GeForce GT 130 - VRAM: 512 MB

iMac 1600 x 1000

spdisplays_display_connector

System Software:

OS X Snow Leopard 10.6.8 (10K549) - Time since boot: about 2 hours

Disk Information:

WDC WD1001FALS-40K1B0 disk0 : (931.51 GB) (Rotational)

- (disk0s1) <not mounted> : 210 MB

Macintosh HD (disk0s2) / [Startup]: 999.86 GB (892.84 GB free)

HL-DT-ST DVDRW GA11N ()

USB Information:

Apple Inc. Built-in iSight

Apple, Inc. Keyboard Hub

Apple, Inc Apple Keyboard

Western Digital My Book 1130 1.82 TB

- (disk1s1) <not mounted> : 210 MB

Time Machine Backups (disk1s2) /Volumes/Time Machine Backups : 2.00 TB (1.79 TB free)

Apple Inc. BRCM2046 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Computer, Inc. IR Receiver

Unknown Files:

/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist~orig

/usr/sbin/AppleFileServer

One unknown file found. [Check files]

Kernel Extensions:

/Library/Application Support/Avast/components/fileshield/unsigned

[loaded] com.avast.AvastFileShield (3.0.0 - SDK 10.9 - 2016-11-22) [Support]

/Library/Application Support/Avast/components/proxy/unsigned

[loaded] com.avast.PacketForwarder (2.1 - SDK 10.11 - 2016-11-22) [Support]

System Launch Agents:

[not loaded] 3 Apple tasks

[loaded] 65 Apple tasks

[running] 6 Apple tasks

System Launch Daemons:

[not loaded] 47 Apple tasks

[loaded] 94 Apple tasks

[running] 27 Apple tasks

Launch Agents:

[running] com.avast.update-agent.plist (2017-01-03) [Support]

[loaded] com.avast.userinit.plist (2017-01-03) [Support]

[running] net.culater.SIMBL.Agent.plist (2011-02-15) [Support]

Launch Daemons:

[loaded] com.adobe.fpsaud.plist (2016-12-10) [Support]

[loaded] com.avast.init.plist (2017-01-03) [Support]

[loaded] com.avast.uninstall.plist (2017-01-03) [Support]

[loaded] com.avast.update.plist (2017-01-03) [Support]

User Launch Agents:

[loaded] com.adobe.ARM.[...].plist (2014-10-13) [Support]

[failed] com.apple.CSConfigDotMacCert-@me.com-SharedServices.Agent.plist (2009-05-30)

[not loaded] com.apple.FolderActions.enabled.plist (2009-11-01)

[not loaded] com.apple.FolderActions.folders.plist (2009-11-01)

[loaded] com.avast.home.userinit.plist (2017-01-03) [Support]

[loaded] com.macpaw.CleanMyMac.helperTool.plist (2009-12-29) [Support]

[loaded] com.macpaw.CleanMyMac.volumeWatcher.plist (2010-09-04) [Support]

User Login Items:

AdobeResourceSynchronizer Application Hidden (/Applications/Adobe Reader.app/Contents/Support/

AdobeResourceSynchronizer.app)

Internet Plug-ins:

JavaAppletPlugin: 13.9.8 - SDK 10.6 (2014-09-02) Check version

FlashPlayer-10.6: 24.0.0.186 - SDK 10.9 (2016-12-13) [Support]

EPPEX Plugin: 4.1.0.0 (2012-08-31) [Support]

AdobePDFViewerNPAPI: 11.0.11 - SDK 10.6 (2015-05-13) [Support]

AdobePDFViewer: 11.0.11 - SDK 10.6 (2015-05-13) [Support]

Flash Player: 24.0.0.186 - SDK 10.9 (2016-12-13) [Support]

QuickTime Plugin: 7.6.6 (2014-09-02)

AmazonMP3DownloaderPlugin: AmazonMP3DownloaderPlugin 1.0.15 (2012-01-07) [Support]

Easy-WebPrint EX: 1.0.0 (2011-06-18) [Support]

Silverlight: 4.0.60531.0 (2011-08-24) [Support]

iPhotoPhotocast: 7.0 (2010-04-02)

Safari Extensions:

AdBlock - BetaFish, Inc. - https://getadblock.com (2016-11-22)

Audio Plug-ins:

iSightAudio: 7.6.6 (2014-09-02)

3rd Party Preference Panes:

BrowserPlus (2010-11-17) [Support]

Flash Player (2016-12-10) [Support]

Flip4Mac WMV (2009-11-03) [Support]

Time Machine:

Time Machine information requires OS X 10.8 "Mountain Lion" or later.

Top Processes by CPU:

3% fontd

2% WindowServer

0% usbmuxd

Top Processes by Memory:

475 MB Safari

90 MB com.avast.daemon

41 MB WindowServer

41 MB mds

33 MB Finder

Virtual Memory Information:

2.30 GB Free RAM

1.70 GB Used RAM

0 B Swap Used

Diagnostics Information:

Jan 7, 2017, 07:26:20 AM Self test - passed

Jan 6, 2017, 01:10:32 PM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-131032_[redacted].crash

~/Library/Application Support/CleanMyMac/CleanMyMacHelperTool

Jan 6, 2017, 11:43:37 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-114337_[redacted].crash

Jan 6, 2017, 11:40:42 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-114042_[redacted].crash

Jan 6, 2017, 11:32:04 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-113204_[redacted].crash

Jan 6, 2017, 11:08:33 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-110833_[redacted].crash

Jan 6, 2017, 11:08:02 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-110802_[redacted].crash

Jan 6, 2017, 10:45:49 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-104549_[redacted].crash

Jan 6, 2017, 09:22:52 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-092252_[redacted].crash

Jan 6, 2017, 09:21:07 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-06-092107_[redacted].crash

Jan 4, 2017, 10:49:50 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-04-104950_[redacted].crash

Jan 4, 2017, 10:48:12 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-04-104812_[redacted].crash

Jan 4, 2017, 10:43:31 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-04-104331_[redacted].crash

Jan 4, 2017, 10:43:07 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-04-104307_[redacted].crash

Jan 4, 2017, 10:41:39 AM ~/Library/Logs/DiagnosticReports/

CleanMyMacHelperTool_2017-01-04-104139_[redacted].crash


I've learned blood is not thicker than money. 

 


#7 dante12

dante12

  • Members
  • 193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 07 January 2017 - 05:30 PM

If you use a File Server because this unknown file is part of file Sharing Option.

 

CleanMyMac is a crap uninstall it. Maintainance on Mac with cleanup tools is useless because macOS has his own cleaning operations and they are working far better as any third party tool.

 

Please Check this website for traces on your system.

 

 Also, try the older version of DetectX (link at #5) to search for other traces.



#8 Twin B

Twin B
  • Topic Starter

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 07 January 2017 - 08:45 PM

Well, I don't use a server. 

I've never used CleanMyMac so I'll uninstall it. 

 

Thanks Dante. 


I've learned blood is not thicker than money. 

 


#9 Twin B

Twin B
  • Topic Starter

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 07 January 2017 - 08:57 PM

This is weird: CleanMyMac is not listed in Applications and Spotlight can't find it either.  Sigh. 


Edited by Twin B, 07 January 2017 - 08:58 PM.

I've learned blood is not thicker than money. 

 


#10 dante12

dante12

  • Members
  • 193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 08 January 2017 - 03:08 AM

  1. Ok please download Find Any File 
  2. Unzip and start the app. Search for terms CleanMyMac and MacPaw
  3. For System wide search insert one of the two terms in the search field and hold the ALT(Option)-Key while press the Enter-Key. Enter your Admin password.
  4. Choose only the entries that have this two terms not other please!
  5. Delete these files by pressing CMD + backspace. You can find the deleted files in your Trash-folder.

Please press CMD + Space copy and paste the path from the code-box and press enter.

/Library/LaunchAgents/
  • If you find this entry: net.culater.SIMBL.Agent.plist
  • make a copy of that file by choose it whith your mouse, press the ALT(Option)-Key and move it to your Desktop.
  • Open this desktop file with Textedit and search for private strings like username or similar entries. Make this illegible.
  • After doing so, copy and paste the content of the processed file here.

 

  • Restart, press during startup the shift-key to boot into Safe Mode. Loading in Safe need some time this is normal. 
  • After done, log in and open the disk utility. Choose on the left side your Systemdrive and check and repair the permissions.
  • restart in normal mode

Edited by dante12, 08 January 2017 - 03:18 AM.


#11 Twin B

Twin B
  • Topic Starter

  • Members
  • 247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:11:04 AM

Posted 08 January 2017 - 12:56 PM

OK thanks. 


I've learned blood is not thicker than money. 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users