Malware has setup a hidden partition

Its likely not malware, but could you do the following to help determine what is going on? First open the Terminal utility and run the following command (copy and paste it to the Terminal and then press Enter), and then copy and paste the output from the Terminal to a message here:

diskutil list

Is the item in the Finder sidebar listed under "DEVICES" or is it under a different category such as "SHARED"?

This is not showing as an attached device or hardware volume on your system. At most right now you have a ~68 megabyte (not gigabyte) disk image that is mounted, which is is called "Flashback Removal Se..." (ends with something else, likely "Security Update"?).

This is likely this following utility that Apple provides for removing the Flashback malware that affected a number of Mac users a few years ago: http://support.apple.com/kb/dl1534

The disk image is a small ~2MB file, but when mounted it defines a disk that is 70MB in size (68.7, to be exact).

Try searching your system for a file called "FlashbackRemovalUpdate.dmg" and remove it. This may be in your Downloads folder.

Does this image show up if you create a new user account in the Users & Groups system preferences and log into this account? If not, then it is very likely just Apple's updater that you have downloaded.

You can also try finding this file by opening the Terminal utility and running the following command (copy and paste it into the Terminal to run):

find ~ $TMPDIR.. -name FlashbackRemovalUpdate

When this command runs, it will output any instances of this name that are found in your home folder and in a temporary folder your account uses for things like caches. Copy and paste any output you see to another message here, so we can take a look and direct you what to do next.

Royal Cascadian wrote:

I should also mention the flashback removal update went to the k device.

What do you mean by that?

Royal Cascadian wrote:

I downloaded the flashback security file from Apple and it says that my drive doesn't meet the requirements for this update.

That was only for OS X 10.5.8 on Intel Macs. Flashback has been extinct for almost a year now. Every Security and Java update runs the Malware Removal Tool which is supposed to remove all commonly found malware.

I downloaded the Flashback Removal Security Update, mounted it on the desktop and see exactly the same thing, except that in the sidebar of Finder window it says "Flashback Removal..." instead of "I K".

When Eject the volume using the Finder or Disk Utility, it is no longer mounted. The volume name remains in Disk Utility, but goes away when I drag it from the sidebar. This is the expected behavior.

BTW, if you use the camera icon above you can upload those images here so we don't have to open them separately.

Ah! That is your hard drive, which for some reason got renamed in the Finder sidebar. Try going to the Finder's Preferences and then check the box next to "Hard disks" in the Sidebar settings to toggle this on and off, and see if it changes back to Macintosh HD.

Alternatively, right-click the "k" drive and try changing its name to Macintosh HD using the contextual menu.

If you cannot seem to rename it, then go to the Go menu, hold the Option key, and choose Library from the list that pops up. In here, go to the Preferences folder and remove the file called "com.apple.sidebarlists.plist" and then log out and back in to your account and see if you can rename the disk accordingly.

...and the 70GB you are seeing there is the size on disk, meaning its the amount of used space and not the size of the drive itself. If you select the drive and press Command-I you will see this value under Used, and see its full capacity and available space listed above it.

What you are seeing is not due to malware of any kind. As Topher says, you just renamed your hard drive accidentally.

The reason that your diskutil output appears to show three drives is, I believe, because you must be using FileVault encryption. The first item, /dev/disk0, is the overall schema of the hard drive. The main partition there, disk0s2, I believe contains the encrypted contents of your hard drive. The second, /dev/disk1, is a virtual "disk" mounted much like a disk image file, representing the unencrypted contents of your hard drive. The third, /dev/disk2, is your Flashback Removal disk image, which you had open at the time that command was executed.

For more information about malware that exists on Mac OS X, see my Mac Malware Guide. Note that there is no known malware that creates hidden partitions on a Mac OS X system.

Topher Kessler wrote:

Ah! That is your hard drive, which for some reason got renamed in the Finder sidebar.

I think there must be something else going on, though, as the icon shown does not look anything like the one I see for my boot drive and the contents don't look right. Perhaps it's because the mini is using OS X Server?