1 2 3 4 Previous Next 55 Replies Latest reply: Jan 11, 2014 11:32 PM by MadMacs0 Go to original post Branched to a new discussion.
  • 30. Re: Malware has setup a hidden partition
    Topher Kessler Level 6 Level 6 (9,340 points)

    Nobody's saying its impossible to be malware, but rather that it's improbable. Many folks here are well-versed in the Mac malware scene and while there's the possibility of a new threat out there that behaves like this, so far it's not been documented.

     

    It's possible this has arisen from malicious activities, but do keep in mind that both the Flash plugin and the Flash system preferences can detect if Flash is out of date and inform you of an update. Additionally Apple's XProtect security feature in OS X may block the plugin if it's out of date, and inform you of the need to update, so there are several modes by which the system can issue you requests to update Flash, without it being malware.

     

    However, if you don't want to take any chances, then formatting and reinstalling OS X is one way to clear any unknown items that may have been installed.

  • 31. Re: Malware has setup a hidden partition
    thomas_r. Level 7 Level 7 (27,985 points)

    There are many malicious web sites out there that will display fake Flash update notices. Just ignore and close them. Make sure that you don't have Java enabled in your web browser, and use a Flash blocker (like ClickToFlash), and don't install anything that gets downloaded as a result.

     

    It sounds like you have had some bad experiences with malware on Windows, but do not use your experience with Windows malware to extrapolate behavior on the Mac. Of course malware will often download more files, but it certainly does not do so in a way that the average user would notice. Regarding Flashback, no, there aren't newer versions. It is extinct at this point. No new infections have been seen in about a year.

     

    You are not well served by making assumptions about your issues that are not grounded in fact. We can help you determine what is going on if you could simply post clear, detailed descriptions of the behavior, without interpretation.

  • 32. Re: Malware has setup a hidden partition
    Royal Cascadian Level 1 Level 1 (0 points)

    Well I grew up with Macs and have used them longer than PC's by a decade so my experience isn't based on just PC's. All I know is what I told you. I'll give an example of the improbable I have encountered just trying to use the community forums.

     

    For instance I had to call Apple support last week because I my password wouldn't reset. I entered the right apple id name, the security questions and then entered my new password, then went to sign in. After 4 times of doing this loop of entering my name, answering security questions, entering new password, and being told my passwod was incorrect I called a skeptical lady at Apple. After going through this on the phone. I entered my new, correct apple id and password. This time, I got an unknown error message repeatedly after entering my new updated apple id and newly set password. I called again, spent another 40 minutes on the phone with the guy who was having a hard time believing me. Eventually we figured out that Chrome was redirecting in a strange and UNLIKELY loop. That worked, that was just me trying to get on this forum about a seperate issue.

     

    How probable is that I had an apple id that was "correct" but also incorrect?

     

    Now I'm having a strange problem with restarting my mac to reinstall ML. I have clicked off the require password after sleep or screen saver begins. Yet, as improbable as it is, it still asks for a password on every restart. Any suggestions? Or is better for another forum?
    Screen Shot 2013-05-27 at 3.21.26 PM.png

  • 33. Re: Malware has setup a hidden partition
    Barney-15E Level 8 Level 8 (35,295 points)

    Now I'm having a strange problem with restarting my mac to reinstall ML. I have clicked off the require password after sleep or screen saver begins. Yet, as improbable as it is, it still asks for a password on every restart. Any suggestions? Or is better for another forum?

    Is Users & Groups set to Automatic Login?

    Do you have FileVault enabled?

     

    Based on all the other issues, do you have disk corruption that is manifesting in all sorts of weird behavior?

  • 34. Re: Malware has setup a hidden partition
    thomas_r. Level 7 Level 7 (27,985 points)

    For instance I had to call Apple support last week because I my password wouldn't reset.

     

    I can't comment much on that, because there's no real concrete information there. If the issue has to do with a redirect in Chrome, see:

     

    Eliminating browser redirects and advertisements

     

    I have clicked off the require password after sleep or screen saver begins. Yet, as improbable as it is, it still asks for a password on every restart.

     

    That setting only controls whether the password is requested on waking from sleep or dismissing the screen saver. It has nothing to do with passwords at startup.

     

    If you are being prevented from reinstalling the system by a password, that's either a firmware password or a request for the password for the Apple ID used to purchase Mountain Lion.

  • 35. Re: Malware has setup a hidden partition
    Royal Cascadian Level 1 Level 1 (0 points)

    The customer service story is only to show improbable doesn't mean impossible.

     

    So, I've got it to restart into recovery mode but following the directions from this

    https://discussions.apple.com/message/21351650#2135165

     

    I'm told to "Go into Disk Utility and erase your Macintosh HD." The problem with that is that isn't an option. Side note, I had to use my camera as screen capture isn't available in recovery mode.erase.jpgerase-greyed-out.jpg

     

    So, what do i do I do? Just reinstall it over the current sytem and not erase it like the instructions said?

     

    I know this off the original topic but, I'm still not able to resolve this yet.

     

    in addtion, what's a firmware password? That only began when I clicked on use a password on wake from sleep. Now that it's off it still is asking even though that's how it was turned on. How do you turn off a firmware password?

     

    Thanks

  • 36. Re: Malware has setup a hidden partition
    Barney-15E Level 8 Level 8 (35,295 points)

    Your directory structure looks to be messed up as the top item should be a physical description of the drive such as, MATSUSHITA 500GB....

    The indented items will be logical volumes on the hard drive.

    Select the very top Macintosh HD and try repairing it. That should repair the directory.

     

    I'm also confused that the Macintosh HD is on the top. That usually indicates the boot drive, which would explain not being able to erase it. However, I haven't been in Recovery in a while, so that may be correct for recovery.

    That's normal for Recovery.

  • 37. Re: Malware has setup a hidden partition
    thomas_r. Level 7 Level 7 (27,985 points)

    This seems to be an issue experienced by at least some people using FileVault. See:

     

    https://discussions.apple.com/thread/4232251?start=0&tstart=0

     

    I don't use it personally, so I have no experience with whether this is normal or not, but perhaps it will help you.

     

    Regarding the firmware password, that prevents you from booting from any but your internal hard drive's system without providing the password, among other things. See:

     

    http://support.apple.com/kb/HT1352

  • 38. Re: Malware has setup a hidden partition
    Barney-15E Level 8 Level 8 (35,295 points)

    Ok. Your drive is Encrypted with FileVault. That is likely why it looks like it does.

  • 39. Re: Malware has setup a hidden partition
    Topher Kessler Level 6 Level 6 (9,340 points)

    This issue is because you are using FileVault, where the system sets its CoreStorage technology for managing volumes. This is why the device is listed as a "Logical Volume Group" instead of a "Solid State Disk" or other physical device.

     

    To erase this volume, try first destroying the logical volume group. This will take a bit of Terminal work, so do the following:

     

    1. Open the Terminal in the Utilities menu

     

    2. Run the following command:

     

    diskutil cs list

     

    3. Locate the UUID of the "Logical Volume Group" in the CoreStorage tree that is output from this command. The UUID will be a series of letters and numbers, separated by dashes.

     

    4. With the UUID, run the following command to delete the CoreStorage volume (see screenshot below):

     

    diskutil cs delete UUID

     

    LVG.png

     

    When finished, wait for the command to complete and return you to the command prompt, and then try formatting the drive again.

  • 40. Re: Malware has setup a hidden partition
    Barney-15E Level 8 Level 8 (35,295 points)

    FileVault will always ask for your password on restart in order to decrypt the drive.

    There is no point in encrypting the disk if you're just going to automatically decrypt it.

  • 41. Re: Malware has setup a hidden partition
    Topher Kessler Level 6 Level 6 (9,340 points)

    This thread has become quite difficult to navigate...

  • 42. Re: Malware has setup a hidden partition
    MadMacs0 Level 4 Level 4 (3,735 points)

    I held off responding as you seemed to have chosen a path and I didn't want to distract from that. Hope you have everything working now.

    Royal Cascadian wrote:

     

    But the fact that my browers are supposed to automatically update flash, yet tell me to update the flash player exernally with the one on my computer, which I didn't install, would seem likely that it is malware.

    The automatic update capability of System Preferences->Flash Player->Advanced tab has never worked. I gave up and set mine to Notify. Chrome is the only one of my browsers that automatically updates.

    Just because you personally haven't run into this, doesn't mean it's impossible, just unlikely, yet.

     

    Have you never heard of a malware program automatically downloading more files? What do you think flashback was? And do you not think there are already newer versions of that? This is just the beginning for Macs.

    At least three of us folks who have tried to help you here have an ulterior motive for being here and that is in case you are right about new malware. We spend a good portion of our days scanning the Internet and reading the security blogs for any sign of a new mac threat. It would not be the first time that we have stumbled across a zero-day infection that none of the A-V labs, etc. have run across yet. That's why we keep insisting on details and answers to detailed questions. I realize that your first priority must be getting your computer back on track, but hopefully you appreciate that in doing so you can help the community out before things get out of control as they did about a year ago.

     

    Of course we know about Trojan downloaders. That's the way almost all drive-by infections occur. Neither I nor any of the other contributors said that wasn't a possibility, just that we are currently unaware. I believe the Flashback developers retreated from the OS X market because it wasn't cost effective for them, even after collecting advertising fees for ~600,000 users for a short time. Are they working on the next version? Certainly possible, and some of us want to be on top of it should they choose to open that market up again.

  • 43. Re: Malware has setup a hidden partition
    putnik Level 3 Level 3 (690 points)

    Did you set up Disk Utility to see the Debug menu and all partitions?

     

    The Terminal command is:

     

    defaults write com.apple.diskutility DUDebugMenuEnabled 1

     

    Then select the Debug menu item and "Show every partition"

     

    The "hidden" partition should be there to see.

  • 44. Re: Malware has setup a hidden partition
    Royal Cascadian Level 1 Level 1 (0 points)

    I'm about to start on the disk utilitiy, but I've got to say that it's very frustraing and very discouraging to do anything when I'm told it's ME who just renamed my own machine without knowing I did. It would be a lot more encouraging if I wasn't dismissed as just someone who doesn't understand Mac's. I wonder how many other people have this happen to them. I should note on the Microsoft support forums the very first reply was a huge detailed list of what to do and nothing about it being me. I expected more from Apple than from Microsft.

     

    I reinstalled OSX but the downloaded flash player is still there and now Chrome opens on start up. Which I didn't do since I don't know how or why I would. In addition, I reinstalled Firefox but when I did and it told me to quit Firefox, I did. And it still asked to shut down Firefox even though it wasn't open or on. I did this twice and both times it kept telling to quit Firefox even though it wasn't on. Which leads me to believe the malware has infected my browsers and has started to rewrite code on my machine.

     

    I'm also working on my PC at the same time which is completely taken over, so this will take a little bit to work through but I will reply with the results of the terminal/disk utility.

     

    Thanks for everyone who has given me advice, I really appreciate it.