Skip navigation

Malware has setup a hidden partition

2775 Views 55 Replies Latest reply: Jan 11, 2014 11:32 PM by MadMacs0 RSS Branched to a new discussion.
1 2 3 4 Previous Next
Royal Cascadian Calculating status...
Currently Being Moderated
May 27, 2013 9:55 AM

Malware has setup a hidden 70 gig partition. The only way I found it was to save a web page as a pdf and it asked where. Under possible locations a "k" drive was an option. I then reset the computer to see hidden devices and hidden files. I found a 70 gig drive hidden. It seems to have been activated on May 14th. I can't unmount or eject from the sidebar.It's not allowing me to do anything with it because I don't have permission. I downloaded the flashback security file from Apple and it says that my drive doesn't meet the requirements for this update.

 

How do I get the permission to get this off and how do I get it off?

Mac mini, OS X Mountain Lion (10.8.3)
  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 9:59 AM (in response to Royal Cascadian)

    Its likely not malware, but could you do the following to help determine what is going on? First open the Terminal utility and run the following command (copy and paste it to the Terminal and then press Enter), and then copy and paste the output from the Terminal to a message here:

     

    diskutil list
    

     

    Is the item in the Finder sidebar listed under "DEVICES" or is it under a different category such as "SHARED"?

    MacBook Pro, OS X Mountain Lion (10.8.2), 17", 2.5GHz i7, 16GB RAM, 512GB SSD
  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 11:08 AM (in response to Royal Cascadian)

    This is not showing as an attached device or hardware volume on your system. At most right now you have a ~68 megabyte (not gigabyte) disk image that is mounted, which is is called "Flashback Removal Se..." (ends with something else, likely "Security Update"?).

     

    This is likely this following utility that Apple provides for removing the Flashback malware that affected a number of Mac users a few years ago: http://support.apple.com/kb/dl1534

     

    The disk image is a small ~2MB file, but when mounted it defines a disk that is 70MB in size (68.7, to be exact).

     

    Try searching your system for a file called "FlashbackRemovalUpdate.dmg" and remove it. This may be in your Downloads folder.

     

    Does this image show up if you create a new user account in the Users & Groups system preferences and log into this account? If not, then it is very likely just Apple's updater that you have downloaded.

     

    You can also try finding this file by opening the Terminal utility and running the following command (copy and paste it into the Terminal to run):

     

    find ~ $TMPDIR.. -name FlashbackRemovalUpdate
    

     

    When this command runs, it will output any instances of this name that are found in your home folder and in a temporary folder your account uses for things like caches. Copy and paste any output you see to another message here, so we can take a look and direct you what to do next.

    MacBook Pro, OS X Mountain Lion (10.8.2), 17", 2.5GHz i7, 16GB RAM, 512GB SSD
  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 11:09 AM (in response to Royal Cascadian)

    Royal Cascadian wrote:

     

    I should also mention the flashback removal update went to the k device.

     

    What do you mean by that?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    May 27, 2013 11:23 AM (in response to Royal Cascadian)

    Royal Cascadian wrote:

     

    I downloaded the flashback security file from Apple and it says that my drive doesn't meet the requirements for this update.

    That was only for OS X 10.5.8 on Intel Macs. Flashback has been extinct for almost a year now. Every Security and Java update runs the Malware Removal Tool which is supposed to remove all commonly found malware.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    May 27, 2013 11:39 AM (in response to Royal Cascadian)

    I downloaded the Flashback Removal Security Update, mounted it on the desktop and see exactly the same thing, except that in the sidebar of Finder window it says "Flashback Removal..." instead of "I K".

     

    When Eject the volume using the Finder or Disk Utility, it is no longer mounted. The volume name remains in Disk Utility, but goes away when I drag it from the sidebar. This is the expected behavior.

     

    BTW, if you use the camera icon above you can upload those images here so we don't have to open them separately.

  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 11:42 AM (in response to Royal Cascadian)

    Ah! That is your hard drive, which for some reason got renamed in the Finder sidebar. Try going to the Finder's Preferences and then check the box next to "Hard disks" in the Sidebar settings to toggle this on and off, and see if it changes back to Macintosh HD.

     

    Alternatively, right-click the "k" drive and try changing its name to Macintosh HD using the contextual menu.

  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 11:52 AM (in response to Royal Cascadian)

    If you cannot seem to rename it, then go to the Go menu, hold the Option key, and choose Library from the list that pops up. In here, go to the Preferences folder and remove the file called "com.apple.sidebarlists.plist" and then log out and back in to your account and see if you can rename the disk accordingly.

  • Topher Kessler Level 6 Level 6 (9,295 points)
    Currently Being Moderated
    May 27, 2013 11:55 AM (in response to Royal Cascadian)

    ...and the 70GB you are seeing there is the size on disk, meaning its the amount of used space and not the size of the drive itself. If you select the drive and press Command-I you will see this value under Used, and see its full capacity and available space listed above it.

  • thomas_r. Level 7 Level 7 (26,930 points)
    Currently Being Moderated
    May 27, 2013 11:58 AM (in response to Royal Cascadian)

    What you are seeing is not due to malware of any kind. As Topher says, you just renamed your hard drive accidentally.

     

    The reason that your diskutil output appears to show three drives is, I believe, because you must be using FileVault encryption. The first item, /dev/disk0, is the overall schema of the hard drive. The main partition there, disk0s2, I believe contains the encrypted contents of your hard drive. The second, /dev/disk1, is a virtual "disk" mounted much like a disk image file, representing the unencrypted contents of your hard drive. The third, /dev/disk2, is your Flashback Removal disk image, which you had open at the time that command was executed.

     

    For more information about malware that exists on Mac OS X, see my Mac Malware Guide. Note that there is no known malware that creates hidden partitions on a Mac OS X system.

1 2 3 4 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.