Cryptowall (Help_Decrypt virus) in iCloud

Interesting that you mentioned Desktop. Desktop was one of the affected folders, however, I haven't seen anywhere having Desktop set as portal/shared folder between Mac and VMWare. Do you know, is that set by default on VMWare?

That's why it bugs me, if it is Windows only, how did it manage to get there, especially as there is no Flash installed on the Windows, no webpages were open or email checked there....and as said before, no Windows folders seem to be affected, only Mac ones...although some (minority, about 16) of them were shared between Mac and VMWare.

I see...sorry Linc, I thought you have to be connected online and paste some text that the script then tests...but I see now that the text is the script. My bad.

Can you tell me, is there any identifiable information in the output of that script? Names, IDs, etc.?

is there any identifiable information in the output of that script?

Usually not, but as I wrote earlier, the report is human-readable and you should anonymize any information that you don't want to disclose before posting. There is no hidden information in it, as you can verify.

Here it is Linc (all lines as produced, I omitted some info in certain lines):

1 Start time: 10:50:27 04/06/16

2

3 Revision: 1561

4

5 Model Identifier: MacBook5,1

6 Boot ROM Version: MB51.007D.B03

7 System Version: OS X 10.10.5 (14F1605)

8 Kernel Version: Darwin 14.5.0

9 Time since boot: 8 minutes

10

11 Memory

12

13 BANK 0/DIMM0

14

15 Size: 4 GB

16 Speed: 1067 MHz

17 Status: OK

18 Manufacturer: 0x029E

19

20 BANK 0/DIMM1

21

22 Size: 4 GB

23 Speed: 1067 MHz

24 Status: OK

25 Manufacturer: 0x029E

26

27 Battery

28

29 Condition: Service Battery

30

31 SerialATA

32

33 KINGSTON

34 WDC

35

36 USB

37

38 USB HD (Phison Electronics Corp.)

39

40 Activity

41

42 CPU: user 13%, system 15%

43

44 File opens (/s)

45

46 ReportCrash (UID 501) => /usr/lib/system (status 0): 21

47 ReportCrash (UID 501) => /usr/lib/system (status 2): 21

48 ReportCrash (UID 501) => /usr/lib (status 0): 21

49 ReportCrash (UID 501) => /usr/lib (status 2): 15

50

51 System errors (/s)

52

53 ReportCrash (UID 501, error 2): 697

54

55 Energy impact, lifetime (relative)

56

57 ReportCrash (UID 501): 47.82

58 Terminal (UID 501): 34.67

59 firefox (UID 501): 18.25

60 bash (UID 501): 16.49

61

62 Energy impact, sampled (relative)

63

64 ReportCrash (UID 501): 53.89

65

66 CPU usage, lifetime (ms/s)

67

68 ReportCrash (UID 501): 478.36

69 Terminal (UID 501): 346.71

70 firefox (UID 501): 180.77

71 bash (UID 501): 164.94

72

73 CPU usage, sampled (ms/s)

74

75 ReportCrash (UID 501): 538.92

76

77 Firewall: On

78

79 Tunnel: Yes

80

81 Listeners

82

83 cupsd: ipp

84 kdc: kerberos

85 launchd: afpovertcp

86 launchd: microsoft-ds

87

88 Diagnostic reports

89

90 2016-02-28 SocialPushAgent crash

91 2016-02-29 accountsd crash

92 2016-03-02 accountsd crash

93 2016-03-07 Finder hang x2

94 2016-03-07 SocialPushAgent crash

95 2016-03-07 accountsd crash

96 2016-03-07 firefox hang

97 2016-03-07 plugin-container crash

98 2016-03-16 Finder hang x2

99 2016-03-16 Safari crash

100 2016-03-17 SocialPushAgent crash x3

101 2016-03-19 SocialPushAgent crash

102 2016-03-20 SocialPushAgent crash

103 2016-03-22 accountsd crash

104 2016-03-26 Safari crash

105 2016-03-26 SocialPushAgent crash

106 2016-03-26 com.apple.preference.security.remoteservice crash x3

107 2016-04-05 SocialPushAgent crash

108 2016-04-05 bird crash x17

109 2016-04-05 cloudd crash x20

110 2016-04-05 com.apple.preference.security.remoteservice crash

111 2016-04-06 SocialPushAgent crash

112 2016-04-06 accountsd crash x20

113 2016-04-06 bird crash x3

114 2016-04-06 sharingd crash x20

115

116 HID errors: 2

117

118 Kernel log

119

120 Apr 5 17:47:23 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

121 Apr 5 17:47:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

122 Apr 5 17:47:35 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

123 Apr 5 17:47:35 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

124 Apr 5 17:48:33 Over-release of kernel-internal importance assertions for pid 244 (Little Snitch Ne), dropping 1 assertion(s) but task only has 0 remaining (0 external).

125 Apr 5 17:59:22 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

126 Apr 5 17:59:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

127 Apr 5 17:59:29 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

128 Apr 5 17:59:29 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

129 Apr 5 19:41:36 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

130 Apr 5 19:41:36 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

131

132 System log

133

134 13 CoreData 0x00007fff9678f4d6 developerSubmittedBlockToNSManagedObjectContextPerform + 182

135 14 libdispatch.dylib 0x00007fff911c6e73 _dispatch_client_callout + 8

136 15 libdispatch.dylib 0x00007fff911c78ca _dispatch_barrier_sync_f_invoke + 57

137 16 CoreData 0x00007fff9678f3b6 -[NSManagedObjectContext performBlockAndWait:] + 214

138 17 AccountsDaemon 0x00007fff8c2c30b5 -[ACDDatabaseInitializer updateDefaultContent] + 132

139 18 AccountsDaemon 0x00007fff8c2f09cc -[ACDDatabase _setupManagedObjectContext] + 313

140 19 AccountsDaemon 0x00007fff8c2ef7e3 -[ACDDatabase initWithPath:] + 129

141 20 AccountsDaemon 0x00007fff8c2ef748 -[ACDDatabase initWithDefaultPath] + 64

142 21 AccountsDaemon 0x00007fff8c2ec170 -[ACDClient initWithConnection:database:] + 183

143 22 AccountsDaemon 0x00007fff8c2e850c -[ACDServer createClientForConnection:] + 69

144 23 AccountsDaemon 0x00007fff8c2e6f3e -[ACDServer listener:shouldAcceptNewConnection:] + 78

145 24 Foundation 0x00007fff8b8a016e service_connection_handler_make_connection + 178

146 25 libxpc.dylib 0x00007fff8c5d2d15 _xpc_connection_call_event_handler + 58

147 26 libxpc.dylib 0x00007fff8c5d2a3a _xpc_connection_mach_event + 2324

148 27 libdispatch.dylib 0x00007fff911ccba8 _dispatch_client_callout4 + 9

149 28 libdispatch.dylib 0x00007fff911cdc9f _dispatch_mach_msg_invoke + 445

150 29 libdispatch.dylib 0x00007fff911ca3bc _dispatch_queue_drain + 571

151 30 libdispatch.dylib 0x00007fff911cc540 _dispatch_mach_invoke + 232

152 31 libdispatch.dylib 0x00007fff911ca3bc _dispatch_queue_drain + 571

153 32 libdispatch.dylib 0x00007fff911ca030 _dispatch_queue_invoke + 202

154 33 libdispatch.dylib 0x00007fff911c9bef _dispatch_root_queue_drain + 463

155 34 libdispatch.dylib 0x00007fff911c9a1c _dispatch_worker_thread3 + 91

156 35 libsystem_pthread.dylib 0x00007fff8da6ba9d _pthread_wqthread + 729

157 36 libsystem_pthread.dylib 0x00007fff8da693dd start_wqthread + 13

158 )

159

160 Loaded kernel extensions

161

162 [FIREWALL]

163

164 System services loaded

165

166 [FIREWALL]

167 com.adobe.fpsaud

168 com.apple.spindump

169 - status: 75

170 com.apple.watchdogd

171 com.malwarebytes.MBAMHelperTool

172

173 Login services loaded

174

175 [FIREWALL]

176 com.apple.SocialPushAgent

177 - status: -6

178 com.apple.accountsd

179 - status: -6

180 com.apple.bird

181 - status: -6

182 com.apple.sharingd

183 - status: -6

184

185 Login services disabled

186

187 com.apple.FolderActions.folders

188 com.apple.FolderActions.enabled

189

190 User services disabled

191

192 com.apple.FolderActions.folders

193 com.apple.FolderActions.enabled

194

195 Contents of /Library/LaunchAgents/[FIREWALL].plist

196 - mod date: Jan 3 18:20:22 2016

197 - size (B): 464

198 - checksum: 2014742307

199

200 <?xml version="1.0" encoding="UTF-8"?>

201 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

202 <plist version="1.0">

203 <dict>

204 <key>KeepAlive</key>

205 <true/>

206 <key>Label</key>

207 <string>[FIREWALL]</string>

208 <key>ProgramArguments</key>

209 <array>

210 <string>/Library/[FIREWALL]</string>

211 </array>

212 <key>RunAtLoad</key>

213 <true/>

214 </dict>

215 </plist>

216

217 Contents of /Library/LaunchDaemons/[FIREWALL].plist

218 - mod date: Jan 3 18:20:22 2016

219 - size (B): 631

220 - checksum: 4174275850

221

222 <?xml version="1.0" encoding="UTF-8"?>

223 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

224 <plist version="1.0">

225 <dict>

226 <key>KeepAlive</key>

227 <true/>

228 <key>Label</key>

229 <string>[FIREWALL]</string>

230 <key>ProgramArguments</key>

231 <array>

232 <string>/Library/[FIREWALL]</string>

233 </array>

234 <key>RunAtLoad</key>

235 <true/>

236 <key>StandardErrorPath</key>

237 <string>/Library/Logs/[FIREWALL].log</string>

238 <key>StandardOutPath</key>

239 <string>/Library/Logs/[FIREWALL].log</string>

240 </dict>

241 </plist>

242

243 Contents of /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist

244 - mod date: Apr 5 16:57:45 2016

245 - size (B): 584

246 - checksum: 2299099766

247

248 <?xml version="1.0" encoding="UTF-8"?>

249 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

250 <plist version="1.0">

251 <dict>

252 <key>Label</key>

253 <string>com.malwarebytes.MBAMHelperTool</string>

254 <key>MachServices</key>

255 <dict>

256 <key>com.malwarebytes.MBAMHelperTool</key>

257 <true/>

258 </dict>

259 <key>Program</key>

260 <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>

261 <key>ProgramArguments</key>

262 <array>

263 <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>

264 </array>

265 </dict>

266 </plist>

267

268 Contents of /System/Library/LaunchAgents/com.apple.SafariPlugInUpdateNotifier.plist

269 - mod date: Dec 21 07:57:59 2015

270 - size (B): 779

271 - checksum: 941105980

272

273 <?xml version="1.0" encoding="UTF-8"?>

274 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

275 <plist version="1.0">

276 <dict>

277 <key>EnablePressuredExit</key>

278 <true/>

279 <key>Label</key>

280 <string>com.apple.SafariPlugInUpdateNotifier</string>

281 <key>Program</key>

282 <string>/usr/libexec/SafariPlugInUpdateNotifier</string>

283 <key>LaunchEvents</key>

284 <dict>

285 <key>com.apple.fsevents.matching</key>

286 <dict>

287 <key>UserFlashPlugInModified</key>

288 <dict>

289 <key>Path</key>

290 <string>~/Library/Internet Plug-Ins/Flash Player.plugin</string>

291 </dict>

292 <key>SystemFlashPlugInModified</key>

293 <dict>

294 <key>Path</key>

295 <string>/Library/Internet Plug-Ins/Flash Player.plugin</string>

296 </dict>

297 </dict>

298

299 ...and 3 more line(s)

300

301 Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist

302 - mod date: Apr 24 13:51:28 2015

303 - size (B): 554

304 - checksum: 3012644940

305

306 <?xml version="1.0" encoding="UTF-8"?>

307 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

308 <plist version="1.0">

309 <dict>

310 <key>Disabled</key>

311 <true/>

312 <key>Label</key>

313 <string>org.apache.httpd</string>

314 <key>EnvironmentVariables</key>

315 <dict>

316 <key>XPC_SERVICES_UNAVAILABLE</key>

317 <string>1</string>

318 </dict>

319 <key>ProgramArguments</key>

320 <array>

321 <string>/usr/sbin/httpd-wrapper</string>

322 <string>-D</string>

323 <string>FOREGROUND</string>

324 </array>

325 <key>OnDemand</key>

326 <false/>

327 </dict>

328 </plist>

329

330 Contents of Library/LaunchAgents/com.apple.FolderActions.folders.plist

331 - mod date: Jan 11 01:59:40 2015

332 - size (B): 517

333 - checksum: 1189540302

334

335 <?xml version="1.0" encoding="UTF-8"?>

336 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

337 <plist version="1.0">

338 <dict>

339 <key>Label</key>

340 <string>com.apple.FolderActions.folders</string>

341 <key>Program</key>

342 <string>/usr/bin/osascript</string>

343 <key>ProgramArguments</key>

344 <array>

345 <string>osascript</string>

346 <string>-e</string>

347 <string>tell application "Folder Actions Dispatcher" to tick</string>

348 </array>

349 <key>WatchPaths</key>

350 <array/>

351 </dict>

352 </plist>

353

354 Unreadable plists

355

356 /Library/Preferences/com.epson.Epson Scanner ICA Driver.UnInstallList.plist

357

358 User login items

359

360 iTunesHelper

361 - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

362 VMware Fusion Start Menu

363 - /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Start Menu.app

364

365 iCloud errors

366

367 cloudd 672

368 Finder 26

369 bird 24

370 ClamXav 11

371 Spotlight 1

372 CallHistorySyncHelper 1

373

374 Continuity errors

375

376 sharingd 818

377

378 Restrictive permissions: 7

379

380 Lockfiles: 6

381

382 Global prefs (user)

383

384 "HEWLETT-PACKARD DESKJET 1220C" = 1

385

386 Extensions

387

388 /Library/Extensions/[FIREWALL].kext

389 - [FIREWALL]

390 - [FIREWALL]

391

392 Applications

393

394 /Applications/DetectX.app

395 - com.sqwarq.DetectX

396 - Philip Stokes (MAJ5XBJSG3)

397 /Applications/Malwarebytes Anti-Malware.app

398 - com.malwarebytes.antimalware

399 - Malwarebytes Corporation (GVZRY6KDKR)

400

401 Frameworks

402

403 /Library/Frameworks/Adlm.framework

404 - com.autodesk.adlmfmwk

405

406 PrefPane

407

408 /Library/PreferencePanes/Flash Player.prefPane

409 - com.adobe.flashplayerpreferences

410 /Library/PreferencePanes/Tuxera NTFS.prefPane

411 - com.tuxera.ntfs.mac.prefpane

412

413 Bundles

414

415 /Library/Internet Plug-Ins/DirectorShockwave.plugin

416 - com.adobe.director.shockwave.pluginshim

417 - Adobe Systems, Inc.

418 /Library/Internet Plug-Ins/Flash Player.plugin

419 - com.macromedia.Flash Player.plugin

420 - Adobe Systems, Inc.

421 /Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin

422 - com.microsoft.officelive.browserplugin

423 /Library/Internet Plug-Ins/Quartz Composer.webplugin

424 - com.apple.QuartzComposer.webplugin

425 - Software Signing

426 /System/Library/Filesystems/fusefs_txantfs.fs

427 - com.tuxera.filesystems.util.fusefs_txantfs

428 /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle

429 - com.skype.skypeabdialer

430 /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle

431 - com.skype.skypeabsms

432

433 Bundles (new)

434

435 /Applications/DetectX.app

436 - com.sqwarq.DetectX

437 - Philip Stokes (MAJ5XBJSG3)

438 /Applications/Malwarebytes Anti-Malware.app

439 - com.malwarebytes.antimalware

440 - Malwarebytes Corporation (GVZRY6KDKR)

441

442 Library paths

443

444 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libKQOAuthAdlm.dylib

445 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtCoreAdlm.4.dylib

446 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtGuiAdlm.4.dylib

447 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtNetworkAdlm.4.dyl ib

448 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtScriptAdlm.4.dyli b

449 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtWebKitAdlm.4.dyli b

450 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtXmlAdlm.4.dylib

451 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libRegisterToday.dylib

452 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmO2Services.dyli b

453 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmPIT.dylib

454 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact.dylib

455 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact_libFNP.dyli b

456 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmcascade.dylib

457 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmerrorLog.dylib

458 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmutil.dylib

459 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase.dylib

460 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase_std.dylib

461 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmumain.dylib

462 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe.dylib

463 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe_std.dylib

464 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmuui.dylib

465 /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libphononAdlm.4.dylib

466 /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.1/libgmpopenh264.dy lib

467 /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.5.3/libgmpopenh264. dylib

468 /usr/local/clamXav/lib/libclamav.7.dylib

469 /usr/local/clamXav/lib/libclamunrar.7.dylib

470 /usr/local/clamXav/lib/libpcre.1.dylib

471 /usr/local/clamXav/lib/libpcre16.0.dylib

472 /usr/local/clamXav/lib/libpcre32.0.dylib

473 /usr/local/clamXav/lib/libpcrecpp.0.dylib

474 /usr/local/clamXav/lib/libpcreposix.0.dylib

475

476 App extensions

477

478 uk.co.canimaansoftware.clamxav.ClamXav-Latest

479

480 Modifications

481

482 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso

483 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso.sig

484 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso

485 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso.sig

486 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso

487 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso.sig

488 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso

489 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso.sig

490 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso

491 file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso.sig

492 ...

493

494 Signatures

495

496 /System/Library/Accounts/Notification/CloudDocsAccountNotificationPlugin.bundle : bundle format unrecognized, invalid, or unsuitable

497 /System/Library/Extensions/hp_io_enabler_compound.kext: Hewlett Packard (6HB5Y2QTA3)

498 /System/Library/Frameworks/CoreTelephony.framework: bundle format unrecognized, invalid, or unsuitable

499 /System/Library/PrivateFrameworks/GPUSupport.framework: bundle format unrecognized, invalid, or unsuitable

500

501 Installations

502

503 ClamXav Scanning Engine v0.99 update 4: 05/04/2016 16:59

504 Adobe Flash Player: 20/02/2016 23:04

505 Adobe Flash Player: 31/12/2015 17:45

506 Adobe Flash Player: 24/11/2015 19:36

507 Adobe Flash Player: 24/10/2015 18:29

508

509 Elapsed time (sec): 557

Some additional info:

- I've disconnected everything from my network and connected that mac online, ran the test and uploaded it here. I was not comfortable with sharing a USB drive with a healthy machine.

- Malwarebytes, DetectX and ClamXav/ClamAV were installed after it was infected to find possible traces. However, they're all trial versions, and Malwarebytes and DetectX seem to scan system in a second, which looks fishy to me. ClamXav on the other hand doesn't allow me to select any other folder than User folder, as if I try to add something else, I just get spinning wheel, and nothing happens even after minutes of waiting. User folder came out supposedly clean.

- I've just noticed in the Console I keep getting CoreData Error and ReportCrash on a second by second basis. It keeps saying there is an illegal attempt to save to a file that was never opened.

Also let me know if you need any other info. And please bear in mind, that machine does have VMWare fusion and Windows 8.1 installed...however, as mentioned before none of Windows folders have been encrypted.

You removed some non-personal details that would be needed for a full evaluation of the output, but that doesn't matter as far as the original question is concerned. There's no evidence of malware, known or unknown. I think the security breach was caused by virtualized Windows malware with access to the host filesystem. The same thing has happened to others. I don't know why guest files were not affected. Maybe they were protected by something running on the guest system.

I also think that a Windows guest should not be given read-write access to the user's whole home folder on the host. I don't see the point of that, and the risks are obvious.

If you don't agree with me, you should erase the startup volume, reinstall OS X, and restore only documents from a backup. All third-party software (not including useless items such as "anti-malware" and "security" products) should be reinstalled from original media or fresh downloads.

Hi Linc,

Thanks for getting back to me. What I removed and put into square brackets, like this: [FIREWALL] is all one and the same application. It is my firewall for internal and external connections. The only other info I removed was the serials for my harddrives, I left the brands. As you can see, I haven't messed with line numbers or anything like that.

I value your point, however, I don't remember giving VMWare read-write to the whole User home folder. It was merely some shared folders. Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?

I was planning to do a complete wipe and fresh install anyways, purely out of concern that I don't know when and how this malware/ransomware got onto system. I was hoping that with some help I might find those details out, so I could know if I can still rescue some of the non-encrypted files. And also what troubled me is why only Mac folders were affected and especially those in Library/Containers, but as it seems like I'm not going to find more answers, it will all have to go...unless you have any other solution/tip/suggestion? :/

Regarding Malware and AV apps I kinda agree with you...and as I said, they were only installed afterwards to check for possible traces. However, that didn't really happen...so they were useless, and they won't be installed again.

Another thing that I found out during my research was that even if you had it installed, if it is a new version roaming around, they'd not catch it...unless the databases have been updated for that specific threat. So mostly lose-lose situation.

Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?

The only reason I can see for allowing a VM access to the host filesystem is so that you can move files between it and the guest. For that purpose all you need is a single folder. It should be used for temporary storage only. Windows can't do anything useful with your permanent OS X library files. All it can do is destroy them.

What would you recommend to do when you need one file to be accessible to both all the time, as it is synced to Google Drive? Is there a middle ground, or would you need to run two separate Google Drive clients...one on Mac and the other on Win platform in order to avoid Windows having too much access?

Typically, VMs allow the host OS to see USB drives. So you could format a 16 GB (or whatever size you need) flash drive as FAT32 or exFAT. Put the files from the Mac onto the drive. In the VM, the flash drive should appear as a mountable drive without having any other type of access to OS X. It can also of course be used in reverse. Put files from Windows onto the USB drive and dismount it. Pull the files off the drive from OS X.

would you need to run two separate Google Drive clients...one on Mac and the other on Win platform

I see no reason not to do that. But don't forget: if Windows malware destroys cloud data, all clients that access the same data will be affected.

This is going to be fun to explain to my friend. :/

*sarcasm*

Yes you can work side by side, but no, you can't see the files. You have to copy/paste onto the USB drive, then eject the drive, plug it back in and enable it in Windows. Do your work, save it back to the USB drive, eject it and reconnect it in Mac and save the file to where it was.

*sarcasm*

Well that's that then.

Anyhow, thanks Kurt and Linc for your help. I really appreciate it, I just wish we didn't have to deal with this sh**. It's just making everything a hassle...especially when you set up system for somebody who is not that IT literate...so this is going to be fun. :/