Q: Cryptowall (Help_Decrypt virus) in iCloud
-
Apr 5, 2016 1:21 PMby Linc Davis,You don't have to connect the affected machine to the network. You can copy the script to a plain text file and transfer that file to a storage device such as a USB flash drive. Mount the drive and proceed with Step 7 as if you had loaded the web page with the text. You will then have to copy the output to the drive and mount it on another machine that is connected to the network. If you're concerned that some kind of infection will be transmitted that way, erase the internal drive of the connected machine and restore from a backup.
-
Apr 5, 2016 1:23 PMby Shawody,Interesting that you mentioned Desktop. Desktop was one of the affected folders, however, I haven't seen anywhere having Desktop set as portal/shared folder between Mac and VMWare. Do you know, is that set by default on VMWare?
That's why it bugs me, if it is Windows only, how did it manage to get there, especially as there is no Flash installed on the Windows, no webpages were open or email checked there....and as said before, no Windows folders seem to be affected, only Mac ones...although some (minority, about 16) of them were shared between Mac and VMWare.
-
Apr 5, 2016 1:42 PMby Linc Davis,is there any identifiable information in the output of that script?
Usually not, but as I wrote earlier, the report is human-readable and you should anonymize any information that you don't want to disclose before posting. There is no hidden information in it, as you can verify.
-
Apr 6, 2016 3:15 AMby Shawody,Here it is Linc (all lines as produced, I omitted some info in certain lines):
1 Start time: 10:50:27 04/06/16
2
3 Revision: 1561
4
5 Model Identifier: MacBook5,1
6 Boot ROM Version: MB51.007D.B03
7 System Version: OS X 10.10.5 (14F1605)
8 Kernel Version: Darwin 14.5.0
9 Time since boot: 8 minutes
10
11 Memory
12
13 BANK 0/DIMM0
14
15 Size: 4 GB
16 Speed: 1067 MHz
17 Status: OK
18 Manufacturer: 0x029E
19
20 BANK 0/DIMM1
21
22 Size: 4 GB
23 Speed: 1067 MHz
24 Status: OK
25 Manufacturer: 0x029E
26
27 Battery
28
29 Condition: Service Battery
30
31 SerialATA
32
33 KINGSTON
34 WDC
35
36 USB
37
38 USB HD (Phison Electronics Corp.)
39
40 Activity
41
42 CPU: user 13%, system 15%
43
44 File opens (/s)
45
46 ReportCrash (UID 501) => /usr/lib/system (status 0): 21
47 ReportCrash (UID 501) => /usr/lib/system (status 2): 21
48 ReportCrash (UID 501) => /usr/lib (status 0): 21
49 ReportCrash (UID 501) => /usr/lib (status 2): 15
50
51 System errors (/s)
52
53 ReportCrash (UID 501, error 2): 697
54
55 Energy impact, lifetime (relative)
56
57 ReportCrash (UID 501): 47.82
58 Terminal (UID 501): 34.67
59 firefox (UID 501): 18.25
60 bash (UID 501): 16.49
61
62 Energy impact, sampled (relative)
63
64 ReportCrash (UID 501): 53.89
65
66 CPU usage, lifetime (ms/s)
67
68 ReportCrash (UID 501): 478.36
69 Terminal (UID 501): 346.71
70 firefox (UID 501): 180.77
71 bash (UID 501): 164.94
72
73 CPU usage, sampled (ms/s)
74
75 ReportCrash (UID 501): 538.92
76
77 Firewall: On
78
79 Tunnel: Yes
80
81 Listeners
82
83 cupsd: ipp
84 kdc: kerberos
85 launchd: afpovertcp
86 launchd: microsoft-ds
87
88 Diagnostic reports
89
90 2016-02-28 SocialPushAgent crash
91 2016-02-29 accountsd crash
92 2016-03-02 accountsd crash
93 2016-03-07 Finder hang x2
94 2016-03-07 SocialPushAgent crash
95 2016-03-07 accountsd crash
96 2016-03-07 firefox hang
97 2016-03-07 plugin-container crash
98 2016-03-16 Finder hang x2
99 2016-03-16 Safari crash
100 2016-03-17 SocialPushAgent crash x3
101 2016-03-19 SocialPushAgent crash
102 2016-03-20 SocialPushAgent crash
103 2016-03-22 accountsd crash
104 2016-03-26 Safari crash
105 2016-03-26 SocialPushAgent crash
106 2016-03-26 com.apple.preference.security.remoteservice crash x3
107 2016-04-05 SocialPushAgent crash
108 2016-04-05 bird crash x17
109 2016-04-05 cloudd crash x20
110 2016-04-05 com.apple.preference.security.remoteservice crash
111 2016-04-06 SocialPushAgent crash
112 2016-04-06 accountsd crash x20
113 2016-04-06 bird crash x3
114 2016-04-06 sharingd crash x20
115
116 HID errors: 2
117
118 Kernel log
119
120 Apr 5 17:47:23 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.
121 Apr 5 17:47:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.
122 Apr 5 17:47:35 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)
123 Apr 5 17:47:35 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)
124 Apr 5 17:48:33 Over-release of kernel-internal importance assertions for pid 244 (Little Snitch Ne), dropping 1 assertion(s) but task only has 0 remaining (0 external).
125 Apr 5 17:59:22 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.
126 Apr 5 17:59:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.
127 Apr 5 17:59:29 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)
128 Apr 5 17:59:29 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)
129 Apr 5 19:41:36 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.
130 Apr 5 19:41:36 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.
131
132 System log
133
134 13 CoreData 0x00007fff9678f4d6 developerSubmittedBlockToNSManagedObjectContextPerform + 182
135 14 libdispatch.dylib 0x00007fff911c6e73 _dispatch_client_callout + 8
136 15 libdispatch.dylib 0x00007fff911c78ca _dispatch_barrier_sync_f_invoke + 57
137 16 CoreData 0x00007fff9678f3b6 -[NSManagedObjectContext performBlockAndWait:] + 214
138 17 AccountsDaemon 0x00007fff8c2c30b5 -[ACDDatabaseInitializer updateDefaultContent] + 132
139 18 AccountsDaemon 0x00007fff8c2f09cc -[ACDDatabase _setupManagedObjectContext] + 313
140 19 AccountsDaemon 0x00007fff8c2ef7e3 -[ACDDatabase initWithPath:] + 129
141 20 AccountsDaemon 0x00007fff8c2ef748 -[ACDDatabase initWithDefaultPath] + 64
142 21 AccountsDaemon 0x00007fff8c2ec170 -[ACDClient initWithConnection:database:] + 183
143 22 AccountsDaemon 0x00007fff8c2e850c -[ACDServer createClientForConnection:] + 69
144 23 AccountsDaemon 0x00007fff8c2e6f3e -[ACDServer listener:shouldAcceptNewConnection:] + 78
145 24 Foundation 0x00007fff8b8a016e service_connection_handler_make_connection + 178
146 25 libxpc.dylib 0x00007fff8c5d2d15 _xpc_connection_call_event_handler + 58
147 26 libxpc.dylib 0x00007fff8c5d2a3a _xpc_connection_mach_event + 2324
148 27 libdispatch.dylib 0x00007fff911ccba8 _dispatch_client_callout4 + 9
149 28 libdispatch.dylib 0x00007fff911cdc9f _dispatch_mach_msg_invoke + 445
150 29 libdispatch.dylib 0x00007fff911ca3bc _dispatch_queue_drain + 571
151 30 libdispatch.dylib 0x00007fff911cc540 _dispatch_mach_invoke + 232
152 31 libdispatch.dylib 0x00007fff911ca3bc _dispatch_queue_drain + 571
153 32 libdispatch.dylib 0x00007fff911ca030 _dispatch_queue_invoke + 202
154 33 libdispatch.dylib 0x00007fff911c9bef _dispatch_root_queue_drain + 463
155 34 libdispatch.dylib 0x00007fff911c9a1c _dispatch_worker_thread3 + 91
156 35 libsystem_pthread.dylib 0x00007fff8da6ba9d _pthread_wqthread + 729
157 36 libsystem_pthread.dylib 0x00007fff8da693dd start_wqthread + 13
158 )
159
160 Loaded kernel extensions
161
162 [FIREWALL]
163
164 System services loaded
165
166 [FIREWALL]
167 com.adobe.fpsaud
168 com.apple.spindump
169 - status: 75
170 com.apple.watchdogd
171 com.malwarebytes.MBAMHelperTool
172
173 Login services loaded
174
175 [FIREWALL]
176 com.apple.SocialPushAgent
177 - status: -6
178 com.apple.accountsd
179 - status: -6
180 com.apple.bird
181 - status: -6
182 com.apple.sharingd
183 - status: -6
184
185 Login services disabled
186
187 com.apple.FolderActions.folders
188 com.apple.FolderActions.enabled
189
190 User services disabled
191
192 com.apple.FolderActions.folders
193 com.apple.FolderActions.enabled
194
195 Contents of /Library/LaunchAgents/[FIREWALL].plist
196 - mod date: Jan 3 18:20:22 2016
197 - size (B): 464
198 - checksum: 2014742307
199
200 <?xml version="1.0" encoding="UTF-8"?>
201 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
202 <plist version="1.0">
203 <dict>
204 <key>KeepAlive</key>
205 <true/>
206 <key>Label</key>
207 <string>[FIREWALL]</string>
208 <key>ProgramArguments</key>
209 <array>
210 <string>/Library/[FIREWALL]</string>
211 </array>
212 <key>RunAtLoad</key>
213 <true/>
214 </dict>
215 </plist>
216
217 Contents of /Library/LaunchDaemons/[FIREWALL].plist
218 - mod date: Jan 3 18:20:22 2016
219 - size (B): 631
220 - checksum: 4174275850
221
222 <?xml version="1.0" encoding="UTF-8"?>
223 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
224 <plist version="1.0">
225 <dict>
226 <key>KeepAlive</key>
227 <true/>
228 <key>Label</key>
229 <string>[FIREWALL]</string>
230 <key>ProgramArguments</key>
231 <array>
232 <string>/Library/[FIREWALL]</string>
233 </array>
234 <key>RunAtLoad</key>
235 <true/>
236 <key>StandardErrorPath</key>
237 <string>/Library/Logs/[FIREWALL].log</string>
238 <key>StandardOutPath</key>
239 <string>/Library/Logs/[FIREWALL].log</string>
240 </dict>
241 </plist>
242
243 Contents of /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist
244 - mod date: Apr 5 16:57:45 2016
245 - size (B): 584
246 - checksum: 2299099766
247
248 <?xml version="1.0" encoding="UTF-8"?>
249 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
250 <plist version="1.0">
251 <dict>
252 <key>Label</key>
253 <string>com.malwarebytes.MBAMHelperTool</string>
254 <key>MachServices</key>
255 <dict>
256 <key>com.malwarebytes.MBAMHelperTool</key>
257 <true/>
258 </dict>
259 <key>Program</key>
260 <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>
261 <key>ProgramArguments</key>
262 <array>
263 <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>
264 </array>
265 </dict>
266 </plist>
267
268 Contents of /System/Library/LaunchAgents/com.apple.SafariPlugInUpdateNotifier.plist
269 - mod date: Dec 21 07:57:59 2015
270 - size (B): 779
271 - checksum: 941105980
272
273 <?xml version="1.0" encoding="UTF-8"?>
274 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
275 <plist version="1.0">
276 <dict>
277 <key>EnablePressuredExit</key>
278 <true/>
279 <key>Label</key>
280 <string>com.apple.SafariPlugInUpdateNotifier</string>
281 <key>Program</key>
282 <string>/usr/libexec/SafariPlugInUpdateNotifier</string>
283 <key>LaunchEvents</key>
284 <dict>
285 <key>com.apple.fsevents.matching</key>
286 <dict>
287 <key>UserFlashPlugInModified</key>
288 <dict>
289 <key>Path</key>
290 <string>~/Library/Internet Plug-Ins/Flash Player.plugin</string>
291 </dict>
292 <key>SystemFlashPlugInModified</key>
293 <dict>
294 <key>Path</key>
295 <string>/Library/Internet Plug-Ins/Flash Player.plugin</string>
296 </dict>
297 </dict>
298
299 ...and 3 more line(s)
300
301 Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist
302 - mod date: Apr 24 13:51:28 2015
303 - size (B): 554
304 - checksum: 3012644940
305
306 <?xml version="1.0" encoding="UTF-8"?>
307 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
308 <plist version="1.0">
309 <dict>
310 <key>Disabled</key>
311 <true/>
312 <key>Label</key>
313 <string>org.apache.httpd</string>
314 <key>EnvironmentVariables</key>
315 <dict>
316 <key>XPC_SERVICES_UNAVAILABLE</key>
317 <string>1</string>
318 </dict>
319 <key>ProgramArguments</key>
320 <array>
321 <string>/usr/sbin/httpd-wrapper</string>
322 <string>-D</string>
323 <string>FOREGROUND</string>
324 </array>
325 <key>OnDemand</key>
326 <false/>
327 </dict>
328 </plist>
329
330 Contents of Library/LaunchAgents/com.apple.FolderActions.folders.plist
331 - mod date: Jan 11 01:59:40 2015
332 - size (B): 517
333 - checksum: 1189540302
334
335 <?xml version="1.0" encoding="UTF-8"?>
336 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
337 <plist version="1.0">
338 <dict>
339 <key>Label</key>
340 <string>com.apple.FolderActions.folders</string>
341 <key>Program</key>
342 <string>/usr/bin/osascript</string>
343 <key>ProgramArguments</key>
344 <array>
345 <string>osascript</string>
346 <string>-e</string>
347 <string>tell application "Folder Actions Dispatcher" to tick</string>
348 </array>
349 <key>WatchPaths</key>
350 <array/>
351 </dict>
352 </plist>
353
354 Unreadable plists
355
356 /Library/Preferences/com.epson.Epson Scanner ICA Driver.UnInstallList.plist
357
358 User login items
359
360 iTunesHelper
361 - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
362 VMware Fusion Start Menu
363 - /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Start Menu.app
364
365 iCloud errors
366
367 cloudd 672
368 Finder 26
369 bird 24
370 ClamXav 11
371 Spotlight 1
372 CallHistorySyncHelper 1
373
374 Continuity errors
375
376 sharingd 818
377
378 Restrictive permissions: 7
379
380 Lockfiles: 6
381
382 Global prefs (user)
383
384 "HEWLETT-PACKARD DESKJET 1220C" = 1
385
386 Extensions
387
388 /Library/Extensions/[FIREWALL].kext
389 - [FIREWALL]
390 - [FIREWALL]
391
392 Applications
393
394 /Applications/DetectX.app
395 - com.sqwarq.DetectX
396 - Philip Stokes (MAJ5XBJSG3)
397 /Applications/Malwarebytes Anti-Malware.app
398 - com.malwarebytes.antimalware
399 - Malwarebytes Corporation (GVZRY6KDKR)
400
401 Frameworks
402
403 /Library/Frameworks/Adlm.framework
404 - com.autodesk.adlmfmwk
405
406 PrefPane
407
408 /Library/PreferencePanes/Flash Player.prefPane
409 - com.adobe.flashplayerpreferences
410 /Library/PreferencePanes/Tuxera NTFS.prefPane
411 - com.tuxera.ntfs.mac.prefpane
412
413 Bundles
414
415 /Library/Internet Plug-Ins/DirectorShockwave.plugin
416 - com.adobe.director.shockwave.pluginshim
417 - Adobe Systems, Inc.
418 /Library/Internet Plug-Ins/Flash Player.plugin
419 - com.macromedia.Flash Player.plugin
420 - Adobe Systems, Inc.
421 /Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin
422 - com.microsoft.officelive.browserplugin
423 /Library/Internet Plug-Ins/Quartz Composer.webplugin
424 - com.apple.QuartzComposer.webplugin
425 - Software Signing
426 /System/Library/Filesystems/fusefs_txantfs.fs
427 - com.tuxera.filesystems.util.fusefs_txantfs
428 /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle
429 - com.skype.skypeabdialer
430 /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle
431 - com.skype.skypeabsms
432
433 Bundles (new)
434
435 /Applications/DetectX.app
436 - com.sqwarq.DetectX
437 - Philip Stokes (MAJ5XBJSG3)
438 /Applications/Malwarebytes Anti-Malware.app
439 - com.malwarebytes.antimalware
440 - Malwarebytes Corporation (GVZRY6KDKR)
441
442 Library paths
443
444 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libKQOAuthAdlm.dylib
445 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtCoreAdlm.4.dylib
446 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtGuiAdlm.4.dylib
447 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtNetworkAdlm.4.dyl ib
448 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtScriptAdlm.4.dyli b
449 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtWebKitAdlm.4.dyli b
450 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtXmlAdlm.4.dylib
451 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libRegisterToday.dylib
452 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmO2Services.dyli b
453 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmPIT.dylib
454 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact.dylib
455 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact_libFNP.dyli b
456 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmcascade.dylib
457 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmerrorLog.dylib
458 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmutil.dylib
459 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase.dylib
460 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase_std.dylib
461 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmumain.dylib
462 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe.dylib
463 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe_std.dylib
464 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmuui.dylib
465 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libphononAdlm.4.dylib
466 /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.1/libgmpopenh264.dy lib
467 /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.5.3/libgmpopenh264. dylib
468 /usr/local/clamXav/lib/libclamav.7.dylib
469 /usr/local/clamXav/lib/libclamunrar.7.dylib
470 /usr/local/clamXav/lib/libpcre.1.dylib
471 /usr/local/clamXav/lib/libpcre16.0.dylib
472 /usr/local/clamXav/lib/libpcre32.0.dylib
473 /usr/local/clamXav/lib/libpcrecpp.0.dylib
474 /usr/local/clamXav/lib/libpcreposix.0.dylib
475
476 App extensions
477
478 uk.co.canimaansoftware.clamxav.ClamXav-Latest
479
480 Modifications
481
482 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso
483 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso.sig
484 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso
485 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso.sig
486 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso
487 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso.sig
488 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso
489 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso.sig
490 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso
491 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso.sig
492 ...
493
494 Signatures
495
496 /System/Library/Accounts/Notification/CloudDocsAccountNotificationPlugin.bundle : bundle format unrecognized, invalid, or unsuitable
497 /System/Library/Extensions/hp_io_enabler_compound.kext: Hewlett Packard (6HB5Y2QTA3)
498 /System/Library/Frameworks/CoreTelephony.framework: bundle format unrecognized, invalid, or unsuitable
499 /System/Library/PrivateFrameworks/GPUSupport.framework: bundle format unrecognized, invalid, or unsuitable
500
501 Installations
502
503 ClamXav Scanning Engine v0.99 update 4: 05/04/2016 16:59
504 Adobe Flash Player: 20/02/2016 23:04
505 Adobe Flash Player: 31/12/2015 17:45
506 Adobe Flash Player: 24/11/2015 19:36
507 Adobe Flash Player: 24/10/2015 18:29
508
509 Elapsed time (sec): 557
-
Apr 6, 2016 3:42 AMby Shawody,Some additional info:
- I've disconnected everything from my network and connected that mac online, ran the test and uploaded it here. I was not comfortable with sharing a USB drive with a healthy machine.
- Malwarebytes, DetectX and ClamXav/ClamAV were installed after it was infected to find possible traces. However, they're all trial versions, and Malwarebytes and DetectX seem to scan system in a second, which looks fishy to me. ClamXav on the other hand doesn't allow me to select any other folder than User folder, as if I try to add something else, I just get spinning wheel, and nothing happens even after minutes of waiting. User folder came out supposedly clean.
- I've just noticed in the Console I keep getting CoreData Error and ReportCrash on a second by second basis. It keeps saying there is an illegal attempt to save to a file that was never opened.
-
Apr 6, 2016 6:00 AMby Linc Davis,You removed some non-personal details that would be needed for a full evaluation of the output, but that doesn't matter as far as the original question is concerned. There's no evidence of malware, known or unknown. I think the security breach was caused by virtualized Windows malware with access to the host filesystem. The same thing has happened to others. I don't know why guest files were not affected. Maybe they were protected by something running on the guest system.
I also think that a Windows guest should not be given read-write access to the user's whole home folder on the host. I don't see the point of that, and the risks are obvious.
If you don't agree with me, you should erase the startup volume, reinstall OS X, and restore only documents from a backup. All third-party software (not including useless items such as "anti-malware" and "security" products) should be reinstalled from original media or fresh downloads.
-
Apr 6, 2016 6:20 AMby Shawody,Hi Linc,
Thanks for getting back to me. What I removed and put into square brackets, like this: [FIREWALL] is all one and the same application. It is my firewall for internal and external connections. The only other info I removed was the serials for my harddrives, I left the brands. As you can see, I haven't messed with line numbers or anything like that.
I value your point, however, I don't remember giving VMWare read-write to the whole User home folder. It was merely some shared folders. Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?
I was planning to do a complete wipe and fresh install anyways, purely out of concern that I don't know when and how this malware/ransomware got onto system. I was hoping that with some help I might find those details out, so I could know if I can still rescue some of the non-encrypted files. And also what troubled me is why only Mac folders were affected and especially those in Library/Containers, but as it seems like I'm not going to find more answers, it will all have to go...unless you have any other solution/tip/suggestion? :/
-
Apr 6, 2016 6:23 AMby Shawody,Regarding Malware and AV apps I kinda agree with you...and as I said, they were only installed afterwards to check for possible traces. However, that didn't really happen...so they were useless, and they won't be installed again.
Another thing that I found out during my research was that even if you had it installed, if it is a new version roaming around, they'd not catch it...unless the databases have been updated for that specific threat. So mostly lose-lose situation.
-
Apr 6, 2016 6:47 AMby Linc Davis,Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?
The only reason I can see for allowing a VM access to the host filesystem is so that you can move files between it and the guest. For that purpose all you need is a single folder. It should be used for temporary storage only. Windows can't do anything useful with your permanent OS X library files. All it can do is destroy them.
-
Apr 6, 2016 9:33 AMby Shawody,What would you recommend to do when you need one file to be accessible to both all the time, as it is synced to Google Drive? Is there a middle ground, or would you need to run two separate Google Drive clients...one on Mac and the other on Win platform in order to avoid Windows having too much access?
-
Apr 6, 2016 9:57 AMby Kurt Lang,Typically, VMs allow the host OS to see USB drives. So you could format a 16 GB (or whatever size you need) flash drive as FAT32 or exFAT. Put the files from the Mac onto the drive. In the VM, the flash drive should appear as a mountable drive without having any other type of access to OS X. It can also of course be used in reverse. Put files from Windows onto the USB drive and dismount it. Pull the files off the drive from OS X.
-
Apr 6, 2016 10:28 AMby Shawody,This is going to be fun to explain to my friend. :/
*sarcasm*
Yes you can work side by side, but no, you can't see the files. You have to copy/paste onto the USB drive, then eject the drive, plug it back in and enable it in Windows. Do your work, save it back to the USB drive, eject it and reconnect it in Mac and save the file to where it was.
*sarcasm*
