Question about OS X Flashback.K trojan

On this instructional post:


The initial instructions are:


  • 1. Run the following command in Terminal: 

    ls -lA ~/Library/LaunchAgents/ 

  • 2. Take note of the filename. Proceed only when you have one file. Otherwise contact our customer care.


I ran the indicated command and encountered this output:


Node00:~ mdyson$ ls -lA ~/Library/LaunchAgents/
total 64
-rw-r--r-- 1 mdyson staff 697 Nov 15 10:19 com.adobe.AAM.Updater-1.0.plist
-rw-r--r-- 1 mdyson staff 574 Dec 1 17:51 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
-rw-r--r-- 1 mdyson staff 618 Nov 14 17:54
-rw-r--r-- 1 mdyson staff 889 Nov 14 17:25 [email protected]plist
-rw-r--r-- 1 mdyson staff 425 Dec 22 13:36
-rw-r--r-- 1 mdyson staff 517 Dec 22 13:36
[email protected] 1 mdyson staff 803 Jan 7 13:43
[email protected] 1 mdyson staff 543 Jan 30 10:58 ws.agile.1PasswordAgent.plist


In item 2, based on multiple results, my apparent next step would be to contact "our customer care" but I am not an F-Secure customer and instructions as to exactly whom and how I am to contact them are lacking. For various reasons I did have Java installed and enabled in Safari.


Based on the above output should I even be worried?


Thanks in advance!

Accepted Answer


  • I also get similar results. Have contacted support, will post again if I get answers.
  • I got this when I ran step one of the disinfection protocol on Lion:


    Last login: Wed Apr 4 11:13:58 on ttys001
    [macbook-extreme-3:~] mheister% ls -lA ~/Library/LaunchAgents/
    total 32
    -rw-r--r-- 1 mheister staff 618 Oct 13 23:56
    -rw-r--r-- 1 mheister staff 425 Mar 24 10:42
    -rw-r--r-- 1 mheister staff 517 Apr 3 20:35
    -rw-r--r-- 1 mheister staff 815 Jan 10 2009
    [macbook-extreme-3:~] mheister%


    Instructions are to contact CS here if the response is more than one line. Suggestions???



  • Thank you for the quick and thorough reply!
  • Rusli
    Rusli Posts: 1,002 Adventurer

    Hi Michael,


    You're welcome.


    Also please take note of the steps below which Norton recommends.



    Follow the recommendations steps as layout by Norton.



    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.



    And those steps which I mentioned earlier. (Which is very very important)


    Anyway does Safari have NoScript Addons???


    The best is to turn off Java and Flash.


    Only use it when you know it is a trusted website.


    Use CCleaner for Mac.



    Download Macscan Trial. If you suspected that your computer have been infected.



    And do a full scan.


    On a lookout with latest security news or updates  via (US Homeland Security)


    Some of the Apps in the Apple Apps Store are malware. So be extra carefull.


    Be wary of iTunes Credit Card Scam.



  • leelee
    leelee Posts: 4

    Macintosh-5:~ leanderpaulboucher$ ls -lA ~/Library/LaunchAgents/
    total 16
    -rw-r--r-- 1 leanderpaulboucher staff 574 Oct 13 09:35 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
    -rw-r--r-- 1 leanderpaulboucher staff 815 Jun 28 2011


    Listed above are the file names that resulted in running:

      ls -lA ~/Library/LaunchAgents/


    I'm a noob at this. What does this mean? Am I infected or not and what do I do next?


  • leelee
    leelee Posts: 4

    Thanks for your assistance!

  • Rusli
    Rusli Posts: 1,002 Adventurer



    What Chris and me posted are the same.


    You can read my posting via the same site.


  • Rusli
    Rusli Posts: 1,002 Adventurer

    Here is the remedy to Flashback I variant remover from F-Secure.



    There is Flashback J which Eset is detecting.



    dated NOD32 - v.7032 (20120406)

  • leelee
    leelee Posts: 4

    Your assistance is greatly appreciated

  • leelee
    leelee Posts: 4

    Thanks a million to Chris and Rusli. I finally got rid of the trojan. All's well and back to normal.

  • manyne
    manyne Posts: 46



    We have release a tool to remove the Flashback Mac OS X malware. You can refer to our Weblog below:






  • I agree. This removal tool has helped me earlier with such problem. Thanks guys.image

  • Rusli
    Rusli Posts: 1,002 Adventurer

    You're welcome lee.



    I should give a credit to the guys at F-Secure & the F-Secure SAS Team, The Project Managers!


    They have done a great job at this!!! (Without them ... we won't be here by now.)


    Keep up the good work guys.


    Not to mentioned, CNET too did a good job.




    - I'm always "the last in line". (Someone will know what I mean to this. He would LOL! Yeah D.I.O)



This discussion has been closed.
Pricing & Product Info