'Flashback' trojan estimated to have infected 600K Macs worldwide - Page 4

Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.

(3) is probably the most likely but it says more about your mindset that you would jump from having a single false positive to the conclusion that a widely known security vendor are "liars." And how would they increase "sales"? The Flashback removal tool they and other vendors offer are all free with no obligation to pay for anything else. You can choose to buy their paid solutions but you're free not to - use the Flashback tools and delete them and never deal with them again.

If I was as distrustful and quick to label folks as liars as you, I might question whether you actually got a false positive - all we have is your claim that Kaspersky's tool identified your computer as infected while the tools from F-Secure and Symantec did not. Maybe you're so keen and eager to "protect" Apple that you're lying. How's that for questioning someone's motives instead of addressing the content of their arguments?

But I take you at your word. All I'd say is that it's a massive leap to say a single false positive demonstrates the existence of a Big Lie to hookwink and scare Mac users worldwide. My blood work comes back from my doctor and if the results turn out to be a false positive, I hardly jump to the conclusion that my doctor, the lab and the pharmaceutical industry as a whole are engaged in a vast conspiracy to drive up medical spending. Your case appears to be a false positive, nothing more, nothing less. Your tiny bit of evidence doesn't support either of your conclusions. At most, it demonstrates Kaspersky's tool isn't perfect and makes mistakes. It hardly proves the counting methodology is "fundamentally flawed."

What I'm still waiting for is an explanation of HOW the methodology is so flawed that it can't be trusted at all - why doesn't counting the number of bots that check in with a command server as those bots are instructed to do by the trojan give you an accurate count of the size of the infection? If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.

In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.


I do not have the technical knowledge to find out how and why, I can only report what I saw. And what I saw seriously questions their approach. Wrong methodology is the other possible explanation.


Again, instead of making an effort to enlighten me as to what explanations we could give, except the obvious ones that I stated before, you try to discredit my findings by turning the attention to the technical aspects no one here could ever know. Nice try! But the big question marks remains: what is behind this?

Anyone else willing to risk a guess?

OK, this is what I wanted to see. Yes, it may be an error of the online tool. But then they should retire it until it runs correctly. Same goes to f-secure and Symantec if their tools do not work correctly. Also, I disabled Java two years ago, so no, I am not infected.

It's not a live check. They are matching your UUID against their database of records of contacts to their server.

- your computer was infected and sent a contact to their server
- they setup an online tool to verify if your UUID is in their database
- if it finds your UUID, it will tell you that you are infected

All the tool means is that at some point in time, your machine contacted them. They may only check against the original database.

You should also check you don't have the other payload someone noted on the forum about the .rserv file. In the terminal, type:

ls -a ~/

If you see a file called .rserv, you still have an executable contacting their servers. There will also be a launchagent called ~/Library/Launchagents/com.adobe.reader.plist, which is used to run it.

@ Marvin: Thank you for the input; thoughtful and focused as always.

I understand that this is not a system scan but a simple database check, otherwise it would not ask the UUID.

Also, I checked up everything you suggested, even for the ~/Library/Preferences/Preferences.dylib used by old versions of Flashback, just in case, and I came out clean. I checked even my Time Machine backups for older traces of .rserv etc, in case I forgot something, but nothing.

I run Little Snitch and Java is disabled for at least 2 years now. The fact that Kaspersky's online tool flags my Mac as infected is still a big mystery to me. But considering what an AI user said here, probably it should be not.