Do I have a Mac OS X trojan?

I admit it...I'm a little paranoid. However, I fear my Mac could possibly have a Trojan. Recently I've noticed several things being denied through "Little Snitch." This includes the XProtectorUpdater and Google software updates. I have heard of a new Trojan that does such a thing. I'm not sure how to go about checking for a Trojan and I haven't seen any other suspicious things taking place. I do have a free edition of Sophos antivirus. Although its the free version, I would think it would recognize most things.

So how would I check for a Trojan and how would I handle it? I imagine I would have to re-run the OS (I have done that before on a PC), but I'm not sure how to work that either. Thanks in advance!
 
XProtectUpdater is OS X's built in malware detection updater. If Little Snitch is in fact denying "XProtectorUpdater" then you may be on to something, but I haven't found anything about that online.

Check to see that this file still exists: /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
 
"This XML file does not appear to have any style information associated with it. The document tree is shown below."

I'm guessing not. Little Snitch has a rule set to allow it. However, its still being denied.
 
You don't need to open that file (/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist) just look to see if it is there - ie - navigate there through Finder. If the file is gone, that is symptomatic of one of the trojans that affect OS X. If its there, you are likely ok.

I assume you've updated your Sophos AV and ran it?

Can you confirm whether LS is denying XProtectorUpdater or XProtectUpdater?
 
I don't believe I have the file. I have run Sophos several times and nothing has come up. And yes, it is up to date. That has not been disabled. I'm not sure if LS is denying XProtector, because it is in the rules to allow. However, I once caught it being denied. Googlesoftware updates have also been denied, but I don't believe LS is doing it.

"Finder via nmblookup" is also frequently terminated.
 
I don't think we are getting anywhere, you still haven't answered whether its XProtectUpdater or XProtectorUpdater, and you can't definitively tell me whether you have the plist I'm asking about. I'm working under the assumption that if you have a trojan, its a Flashback variant.

This might be of better help. You have to get down to the Oct 20, 2011 4:10 PM post before the OP figures out the file path. https://discussions.apple.com/thread/3415343?start=0&tstart=0

This page should also help with removal, IF, you have Flashback.D which doesn't seem to be very common.

As always, the best practice is to ignore a Flash Update popup unless you know for sure it should have occurred. If you are unsure at all, go to Adobe's page and get the latest Flash from them.
 
Back