Malware added folder /Library/Preferneces NOT /Preferences

cupen wrote:

Hello,

I suspect that a bit torrent client (or some sort of malware) has been installed on my system, but none of the anti-virus software I've tried flags it.

Bit Torrent Clients are installed by users, not malware. Did you install one?

1. After a few hours of use, I run out of disk space. (I must admit though, that I have approximately 100 tabs open in Safari. I don't use Firefox as the same time, but I may have 150-200 tabs open in Firefox when it's open. Even so, there was a definite point in the Spring / early Summer of 2012 when this became a problem. The system had _no problem_ with all the tabs before that.)

But I'm guessing you had lot more hard disk space before then. That's certainly an excessive amount of tabs, but I don't see how that would relate to hard drive space. Perhaps you just need to put a limit on the amount of cache you allow Firefox. In any case, you should either off-load some files you don't need all the time onto an external or replace the hard drive with a larger one.

cupen wrote:

2. Among other questionable files, there is a folder in HD/Library that is MISSPELLED "Preferneces." It only has one locked file in it "DirectoryService." I cannot determine the size. The date is March 13, 2007.

OK, well this doesn't look right. If it's really been there since 2007, I'd say it isn't a problem, but I don't recognize it as being associated with any known malware. The only DirectoryService file I have is a Unix executable in /usr/sbin/.

3. The regular folder /Library/Preferences, has the normal files as well as several files with nonsense names such as "cfx#nEAQsrx" or "cfx#00gSvuZ." These files have a size of 0 and appear to be empty text files. Their mod dates vary from 2009 dates to August 17, 2012.

Those are not unusual.

4. I ran F-Secure's Flashback Removal tool, but it found nothing.

Not necessary if your ran all that Software Update had for you. There was an Apple removal tool that also disables Java in your browser which you should keep turned off.

Is there a way to determine what this is, its true location, and how to remove it?

I've done backups using Time Machine, but I assume that I have also backed up the malware as well.

What do you mean by true location? You should be able to drag the folder to the trash with admin authentication. Are you prevented from doing that. What are the permissions on the folder and file?

I'm running OS X 10.5.8 on a MacBook.

Which is quite vulnerable these days. If you can't upgrade your OS I predict you will continue to have issues.

Just to add to what MadMacs0 said, 100-150 tabs open at one time in a web browser is definitely excessive, and I would expect that to cause problems! Every site you have loaded (in a tab or window) consumes some memory, and the more memory you consume, the more your virtual memory swap files will grow. So this should not only cause you some serious performance problems, unless you've got a huge amount of RAM that you're not using for anything else, but it should be expected to eat up some disk space.

If you restart your computer and look at the hard drive before launching a browser, how much free space is there, and how large is the drive? You should have around 10% of the total capacity free on your boot drive, as a general rule of thumb... so, on a 500 GB drive, 50 GB should be free.

cupen wrote:

Question, what's the purpose and source of the nonsensically named files?

I have twelve cfx# files and one cf# except that all are at least 4 KB (minimum size for my hard drive). All but one of those contain a valid XML preference information (.plist without the extension). The one that isn't contains a mix of text and binary data. Only one of them is from January of this year, the rest are older. They don't appear to duplicate the information in the regular .plist for the few that I was able to tie to a specific app. I don't know whether these are temp files that weren't deleted or supplementary information files. It'spossible that the empty files you saw were simply placed there to mark the date a demo or shareware app was first installed so the app will know when your trial time was up. Just a guess.

cupen wrote:

Could either of you recommend software for Mac backup? I want to be able to archive some backups, not merely update changes as Time Machine seems to do.

Looks like Thomas is off-the-clock at the moment, so I'll jump in and point you to what I feel certain he would have suggested, his Macintosh Backups Guide.

And here's one he most likely won't mention ;-) Most commonly used backup methods.

As for myself I use SuperDuper!, only because Carbon Copy Cloner was not available for my OS at the time I needed it. Both are recommended universally for bootable clone backup.

I also subscribe to the free CrashPlan service, backing up critical files to my out-of-town daughter's computer and she does the same back to me. This fulfills the off-site backup requirement you should adhere to. You can do the same by rotating clones to your work, family or other locations outside of your home in case of fire, flood, burglary, etc.