Currently Being ModeratedMay 27, 2013 9:59 AM (in response to Royal Cascadian)
Its likely not malware, but could you do the following to help determine what is going on? First open the Terminal utility and run the following command (copy and paste it to the Terminal and then press Enter), and then copy and paste the output from the Terminal to a message here:
Is the item in the Finder sidebar listed under "DEVICES" or is it under a different category such as "SHARED"?MacBook Pro, OS X Mountain Lion (10.8.2), 17", 2.5GHz i7, 16GB RAM, 512GB SSD
Currently Being ModeratedMay 27, 2013 10:53 AM (in response to Topher Kessler)
I'm positive it's malware because when I accidentally hit a link on a page for streaming sports the same day the partition happened, it downloaded a flash player file and has since setup the "k" drive all on the same day as this download.
The k drive is under devices in the sidebar only visable after allowing hidden devices to be seen. There is no "eject" or unmount button next to it.
The Terminal output
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_CoreStorage 499.2 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Macintosh HD *498.9 GB disk1
#: TYPE NAME SIZE IDENTIFIER
0: Apple_partition_scheme *68.8 MB disk2
1: Apple_partition_map 30.7 KB disk2s1
2: Apple_Driver_ATAPI 2.0 KB disk2s2
3: Apple_HFS Flashback Removal Se... 68.7 MB disk2s3
the K in the sidebar is a seperate "Macintosh HD" that is 70 gigs only visible when I turned on show hidden files. It's not showing up on this list but I have to wait for iphoto to update to paste a screen capture of the files in finder.
Currently Being ModeratedMay 27, 2013 11:08 AM (in response to Royal Cascadian)
This is not showing as an attached device or hardware volume on your system. At most right now you have a ~68 megabyte (not gigabyte) disk image that is mounted, which is is called "Flashback Removal Se..." (ends with something else, likely "Security Update"?).
This is likely this following utility that Apple provides for removing the Flashback malware that affected a number of Mac users a few years ago: http://support.apple.com/kb/dl1534
The disk image is a small ~2MB file, but when mounted it defines a disk that is 70MB in size (68.7, to be exact).
Try searching your system for a file called "FlashbackRemovalUpdate.dmg" and remove it. This may be in your Downloads folder.
Does this image show up if you create a new user account in the Users & Groups system preferences and log into this account? If not, then it is very likely just Apple's updater that you have downloaded.
You can also try finding this file by opening the Terminal utility and running the following command (copy and paste it into the Terminal to run):
find ~ $TMPDIR.. -name FlashbackRemovalUpdate
When this command runs, it will output any instances of this name that are found in your home folder and in a temporary folder your account uses for things like caches. Copy and paste any output you see to another message here, so we can take a look and direct you what to do next.MacBook Pro, OS X Mountain Lion (10.8.2), 17", 2.5GHz i7, 16GB RAM, 512GB SSD
Currently Being ModeratedMay 27, 2013 11:23 AM (in response to Royal Cascadian)
Royal Cascadian wrote:
I downloaded the flashback security file from Apple and it says that my drive doesn't meet the requirements for this update.
That was only for OS X 10.5.8 on Intel Macs. Flashback has been extinct for almost a year now. Every Security and Java update runs the Malware Removal Tool which is supposed to remove all commonly found malware.
Currently Being ModeratedMay 27, 2013 11:30 AM (in response to Royal Cascadian)
Currently Being ModeratedMay 27, 2013 11:35 AM (in response to Royal Cascadian)
This one shows that HD on the "k" to be 70 gigs
Currently Being ModeratedMay 27, 2013 11:39 AM (in response to Royal Cascadian)
I downloaded the Flashback Removal Security Update, mounted it on the desktop and see exactly the same thing, except that in the sidebar of Finder window it says "Flashback Removal..." instead of "I K".
When Eject the volume using the Finder or Disk Utility, it is no longer mounted. The volume name remains in Disk Utility, but goes away when I drag it from the sidebar. This is the expected behavior.
BTW, if you use the camera icon above you can upload those images here so we don't have to open them separately.
Currently Being ModeratedMay 27, 2013 11:42 AM (in response to Royal Cascadian)
Ah! That is your hard drive, which for some reason got renamed in the Finder sidebar. Try going to the Finder's Preferences and then check the box next to "Hard disks" in the Sidebar settings to toggle this on and off, and see if it changes back to Macintosh HD.
Alternatively, right-click the "k" drive and try changing its name to Macintosh HD using the contextual menu.
Currently Being ModeratedMay 27, 2013 11:52 AM (in response to Royal Cascadian)
If you cannot seem to rename it, then go to the Go menu, hold the Option key, and choose Library from the list that pops up. In here, go to the Preferences folder and remove the file called "com.apple.sidebarlists.plist" and then log out and back in to your account and see if you can rename the disk accordingly.
Currently Being ModeratedMay 27, 2013 11:55 AM (in response to Royal Cascadian)
...and the 70GB you are seeing there is the size on disk, meaning its the amount of used space and not the size of the drive itself. If you select the drive and press Command-I you will see this value under Used, and see its full capacity and available space listed above it.
Currently Being ModeratedMay 27, 2013 11:58 AM (in response to Royal Cascadian)
What you are seeing is not due to malware of any kind. As Topher says, you just renamed your hard drive accidentally.
The reason that your diskutil output appears to show three drives is, I believe, because you must be using FileVault encryption. The first item, /dev/disk0, is the overall schema of the hard drive. The main partition there, disk0s2, I believe contains the encrypted contents of your hard drive. The second, /dev/disk1, is a virtual "disk" mounted much like a disk image file, representing the unencrypted contents of your hard drive. The third, /dev/disk2, is your Flashback Removal disk image, which you had open at the time that command was executed.
For more information about malware that exists on Mac OS X, see my Mac Malware Guide. Note that there is no known malware that creates hidden partitions on a Mac OS X system.