Apple429

Q: Cryptowall (Help_Decrypt virus) in iCloud

Hello everyone,

 

So my mom got an email in for a job resume the other day and attached was a .zip file of what should have been a job resume, but when she opened it, she got a pop-up and the whole mess of the Help_Decrypt virus started spreading. EVERYWHERE!! So I just decided to wipe her iMac clean and start over over (we have backups, thankfully), however it appears that the virus got into her iCloud files and is preventing her from opening all of her documents. "Spreadsheet cannot be opened"

 

Is there anyway we can access a "restore point" or are we just screwed and have to start over?

 

Thanks in advance for any help everyone!

~Taylor

iMac, OS X Yosemite (10.10.3)

Posted on May 17, 2015 7:35 AM

Close

Q: Cryptowall (Help_Decrypt virus) in iCloud

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next
  • by Linc Davis,

    Linc Davis Linc Davis Apr 5, 2016 1:21 PM in response to Shawody
    Level 10 (207,926 points)
    Applications
    Apr 5, 2016 1:21 PM in response to Shawody

    You don't have to connect the affected machine to the network. You can copy the script to a plain text file and transfer that file to a storage device such as a USB flash drive. Mount the drive and proceed with Step 7 as if you had loaded the web page with the text. You will then have to copy the output to the drive and mount it on another machine that is connected to the network. If you're concerned that some kind of infection will be transmitted that way, erase the internal drive of the connected machine and restore from a backup.

  • by Shawody,

    Shawody Shawody Apr 5, 2016 1:23 PM in response to Kurt Lang
    Level 1 (4 points)
    Apr 5, 2016 1:23 PM in response to Kurt Lang

    Interesting that you mentioned Desktop. Desktop was one of the affected folders, however, I haven't seen anywhere having Desktop set as portal/shared folder between Mac and VMWare. Do you know, is that set by default on VMWare?

     

    That's why it bugs me, if it is Windows only, how did it manage to get there, especially as there is no Flash installed on the Windows, no webpages were open or email checked there....and as said before, no Windows folders seem to be affected, only Mac ones...although some (minority, about 16) of them were shared between Mac and VMWare.

  • by Shawody,

    Shawody Shawody Apr 5, 2016 1:31 PM in response to Linc Davis
    Level 1 (4 points)
    Apr 5, 2016 1:31 PM in response to Linc Davis

    I see...sorry Linc, I thought you have to be connected online and paste some text that the script then tests...but I see now that the text is the script. My bad.

     

    Can you tell me, is there any identifiable information in the output of that script? Names, IDs, etc.?

  • by Linc Davis,

    Linc Davis Linc Davis Apr 5, 2016 1:42 PM in response to Shawody
    Level 10 (207,926 points)
    Applications
    Apr 5, 2016 1:42 PM in response to Shawody

    is there any identifiable information in the output of that script?

    Usually not, but as I wrote earlier, the report is human-readable and you should anonymize any information that you don't want to disclose before posting. There is no hidden information in it, as you can verify.

  • by Shawody,

    Shawody Shawody Apr 6, 2016 3:15 AM in response to Linc Davis
    Level 1 (4 points)
    Apr 6, 2016 3:15 AM in response to Linc Davis

    Here it is Linc (all lines as produced, I omitted some info in certain lines):

     

       1  Start time: 10:50:27 04/06/16

       2

       3  Revision: 1561

       4

       5  Model Identifier: MacBook5,1

       6  Boot ROM Version: MB51.007D.B03

       7  System Version: OS X 10.10.5 (14F1605)

       8  Kernel Version: Darwin 14.5.0

       9  Time since boot: 8 minutes

      10

      11  Memory

      12

      13      BANK 0/DIMM0

      14

      15        Size: 4 GB

      16        Speed: 1067 MHz

      17        Status: OK

      18        Manufacturer: 0x029E

      19

      20      BANK 0/DIMM1

      21

      22        Size: 4 GB

      23        Speed: 1067 MHz

      24        Status: OK

      25        Manufacturer: 0x029E

      26

      27  Battery

      28

      29      Condition: Service Battery

      30

      31  SerialATA

      32

      33      KINGSTON               

      34      WDC                  

      35

      36  USB

      37

      38      USB HD (Phison Electronics Corp.)

      39

      40  Activity

      41

      42      CPU: user 13%, system 15%

      43

      44  File opens (/s)

      45

      46      ReportCrash (UID 501) => /usr/lib/system (status 0): 21

      47      ReportCrash (UID 501) => /usr/lib/system (status 2): 21

      48      ReportCrash (UID 501) => /usr/lib (status 0): 21

      49      ReportCrash (UID 501) => /usr/lib (status 2): 15

      50

      51  System errors (/s)

      52

      53      ReportCrash (UID 501, error 2): 697

      54

      55  Energy impact, lifetime (relative)

      56

      57      ReportCrash (UID 501): 47.82

      58      Terminal (UID 501): 34.67

      59      firefox (UID 501): 18.25

      60      bash (UID 501): 16.49

      61

      62  Energy impact, sampled (relative)

      63

      64      ReportCrash (UID 501): 53.89

      65

      66  CPU usage, lifetime (ms/s)

      67

      68      ReportCrash (UID 501): 478.36

      69      Terminal (UID 501): 346.71

      70      firefox (UID 501): 180.77

      71      bash (UID 501): 164.94

      72

      73  CPU usage, sampled (ms/s)

      74

      75      ReportCrash (UID 501): 538.92

      76

      77  Firewall: On

      78

      79  Tunnel: Yes

      80

      81  Listeners

      82

      83      cupsd: ipp

      84      kdc: kerberos

      85      launchd: afpovertcp

      86      launchd: microsoft-ds

      87

      88  Diagnostic reports

      89

      90      2016-02-28 SocialPushAgent crash

      91      2016-02-29 accountsd crash

      92      2016-03-02 accountsd crash

      93      2016-03-07 Finder hang x2

      94      2016-03-07 SocialPushAgent crash

      95      2016-03-07 accountsd crash

      96      2016-03-07 firefox hang

      97      2016-03-07 plugin-container crash

      98      2016-03-16 Finder hang x2

      99      2016-03-16 Safari crash

    100      2016-03-17 SocialPushAgent crash x3

    101      2016-03-19 SocialPushAgent crash

    102      2016-03-20 SocialPushAgent crash

    103      2016-03-22 accountsd crash

    104      2016-03-26 Safari crash

    105      2016-03-26 SocialPushAgent crash

    106      2016-03-26 com.apple.preference.security.remoteservice crash x3

    107      2016-04-05 SocialPushAgent crash

    108      2016-04-05 bird crash x17

    109      2016-04-05 cloudd crash x20

    110      2016-04-05 com.apple.preference.security.remoteservice crash

    111      2016-04-06 SocialPushAgent crash

    112      2016-04-06 accountsd crash x20

    113      2016-04-06 bird crash x3

    114      2016-04-06 sharingd crash x20

    115

    116  HID errors: 2

    117

    118  Kernel log

    119

    120      Apr  5 17:47:23 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

    121      Apr  5 17:47:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

    122      Apr  5 17:47:35 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

    123      Apr  5 17:47:35 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

    124      Apr  5 17:48:33 Over-release of kernel-internal importance assertions for pid 244 (Little Snitch Ne), dropping 1 assertion(s) but task only has 0 remaining (0 external).

    125      Apr  5 17:59:22 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

    126      Apr  5 17:59:23 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

    127      Apr  5 17:59:29 vmnet1: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

    128      Apr  5 17:59:29 vmnet8: failed to restore 1 suspended link-layer multicast membership(s) (err=102)

    129      Apr  5 19:41:36 vmnet: netif-vmnet1: SIOCPROTODETACH failed: 16.

    130      Apr  5 19:41:36 vmnet: netif-vmnet8: SIOCPROTODETACH failed: 16.

    131

    132  System log

    133

    134              13  CoreData                            0x00007fff9678f4d6 developerSubmittedBlockToNSManagedObjectContextPerform + 182

    135              14  libdispatch.dylib                   0x00007fff911c6e73 _dispatch_client_callout + 8

    136              15  libdispatch.dylib                   0x00007fff911c78ca _dispatch_barrier_sync_f_invoke + 57

    137              16  CoreData                            0x00007fff9678f3b6 -[NSManagedObjectContext performBlockAndWait:] + 214

    138              17  AccountsDaemon                      0x00007fff8c2c30b5 -[ACDDatabaseInitializer updateDefaultContent] + 132

    139              18  AccountsDaemon                      0x00007fff8c2f09cc -[ACDDatabase _setupManagedObjectContext] + 313

    140              19  AccountsDaemon                      0x00007fff8c2ef7e3 -[ACDDatabase initWithPath:] + 129

    141              20  AccountsDaemon                      0x00007fff8c2ef748 -[ACDDatabase initWithDefaultPath] + 64

    142              21  AccountsDaemon                      0x00007fff8c2ec170 -[ACDClient initWithConnection:database:] + 183

    143              22  AccountsDaemon                      0x00007fff8c2e850c -[ACDServer createClientForConnection:] + 69

    144              23  AccountsDaemon                      0x00007fff8c2e6f3e -[ACDServer listener:shouldAcceptNewConnection:] + 78

    145              24  Foundation                          0x00007fff8b8a016e service_connection_handler_make_connection + 178

    146              25  libxpc.dylib                        0x00007fff8c5d2d15 _xpc_connection_call_event_handler + 58

    147              26  libxpc.dylib                        0x00007fff8c5d2a3a _xpc_connection_mach_event + 2324

    148              27  libdispatch.dylib                   0x00007fff911ccba8 _dispatch_client_callout4 + 9

    149              28  libdispatch.dylib                   0x00007fff911cdc9f _dispatch_mach_msg_invoke + 445

    150              29  libdispatch.dylib                   0x00007fff911ca3bc _dispatch_queue_drain + 571

    151              30  libdispatch.dylib                   0x00007fff911cc540 _dispatch_mach_invoke + 232

    152              31  libdispatch.dylib                   0x00007fff911ca3bc _dispatch_queue_drain + 571

    153              32  libdispatch.dylib                   0x00007fff911ca030 _dispatch_queue_invoke + 202

    154              33  libdispatch.dylib                   0x00007fff911c9bef _dispatch_root_queue_drain + 463

    155              34  libdispatch.dylib                   0x00007fff911c9a1c _dispatch_worker_thread3 + 91

    156              35  libsystem_pthread.dylib             0x00007fff8da6ba9d _pthread_wqthread + 729

    157              36  libsystem_pthread.dylib             0x00007fff8da693dd start_wqthread + 13

    158          )

    159

    160  Loaded kernel extensions

    161

    162      [FIREWALL]

    163

    164  System services loaded

    165

    166      [FIREWALL]

    167      com.adobe.fpsaud

    168      com.apple.spindump

    169      -    status: 75

    170      com.apple.watchdogd

    171      com.malwarebytes.MBAMHelperTool

    172

    173  Login services loaded

    174

    175      [FIREWALL]

    176      com.apple.SocialPushAgent

    177      -    status: -6

    178      com.apple.accountsd

    179      -    status: -6

    180      com.apple.bird

    181      -    status: -6

    182      com.apple.sharingd

    183      -    status: -6

    184

    185  Login services disabled

    186

    187      com.apple.FolderActions.folders

    188      com.apple.FolderActions.enabled

    189

    190  User services disabled

    191

    192      com.apple.FolderActions.folders

    193      com.apple.FolderActions.enabled

    194

    195  Contents of /Library/LaunchAgents/[FIREWALL].plist

    196      -    mod date: Jan  3 18:20:22 2016

    197      -    size (B): 464

    198      -    checksum: 2014742307

    199

    200      <?xml version="1.0" encoding="UTF-8"?>

    201      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    202      <plist version="1.0">

    203      <dict>

    204          <key>KeepAlive</key>

    205          <true/>

    206          <key>Label</key>

    207          <string>[FIREWALL]</string>

    208          <key>ProgramArguments</key>

    209          <array>

    210              <string>/Library/[FIREWALL]</string>

    211          </array>

    212          <key>RunAtLoad</key>

    213          <true/>

    214      </dict>

    215      </plist>

    216

    217  Contents of /Library/LaunchDaemons/[FIREWALL].plist

    218      -    mod date: Jan  3 18:20:22 2016

    219      -    size (B): 631

    220      -    checksum: 4174275850

    221

    222      <?xml version="1.0" encoding="UTF-8"?>

    223      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    224      <plist version="1.0">

    225      <dict>

    226          <key>KeepAlive</key>

    227          <true/>

    228          <key>Label</key>

    229          <string>[FIREWALL]</string>

    230          <key>ProgramArguments</key>

    231          <array>

    232              <string>/Library/[FIREWALL]</string>

    233          </array>

    234          <key>RunAtLoad</key>

    235          <true/>

    236          <key>StandardErrorPath</key>

    237          <string>/Library/Logs/[FIREWALL].log</string>

    238          <key>StandardOutPath</key>

    239          <string>/Library/Logs/[FIREWALL].log</string>

    240      </dict>

    241      </plist>

    242

    243  Contents of /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist

    244      -    mod date: Apr  5 16:57:45 2016

    245      -    size (B): 584

    246      -    checksum: 2299099766

    247

    248      <?xml version="1.0" encoding="UTF-8"?>

    249      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    250      <plist version="1.0">

    251      <dict>

    252          <key>Label</key>

    253          <string>com.malwarebytes.MBAMHelperTool</string>

    254          <key>MachServices</key>

    255          <dict>

    256              <key>com.malwarebytes.MBAMHelperTool</key>

    257              <true/>

    258          </dict>

    259          <key>Program</key>

    260          <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>

    261          <key>ProgramArguments</key>

    262          <array>

    263              <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>

    264          </array>

    265      </dict>

    266      </plist>

    267

    268  Contents of /System/Library/LaunchAgents/com.apple.SafariPlugInUpdateNotifier.plist

    269      -    mod date: Dec 21 07:57:59 2015

    270      -    size (B): 779

    271      -    checksum: 941105980

    272

    273      <?xml version="1.0" encoding="UTF-8"?>

    274      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    275      <plist version="1.0">

    276      <dict>

    277          <key>EnablePressuredExit</key>

    278          <true/>

    279          <key>Label</key>

    280          <string>com.apple.SafariPlugInUpdateNotifier</string>

    281          <key>Program</key>

    282          <string>/usr/libexec/SafariPlugInUpdateNotifier</string>

    283          <key>LaunchEvents</key>

    284          <dict>

    285              <key>com.apple.fsevents.matching</key>

    286              <dict>

    287                  <key>UserFlashPlugInModified</key>

    288                  <dict>

    289                      <key>Path</key>

    290                      <string>~/Library/Internet Plug-Ins/Flash Player.plugin</string>

    291                  </dict>

    292                  <key>SystemFlashPlugInModified</key>

    293                  <dict>

    294                      <key>Path</key>

    295                      <string>/Library/Internet Plug-Ins/Flash Player.plugin</string>

    296                  </dict>

    297              </dict>

    298

    299      ...and 3 more line(s)

    300

    301  Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist

    302      -    mod date: Apr 24 13:51:28 2015

    303      -    size (B): 554

    304      -    checksum: 3012644940

    305

    306      <?xml version="1.0" encoding="UTF-8"?>

    307      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    308      <plist version="1.0">

    309      <dict>

    310          <key>Disabled</key>

    311          <true/>

    312          <key>Label</key>

    313          <string>org.apache.httpd</string>

    314          <key>EnvironmentVariables</key>

    315          <dict>

    316              <key>XPC_SERVICES_UNAVAILABLE</key>

    317              <string>1</string>

    318          </dict>

    319          <key>ProgramArguments</key>

    320          <array>

    321              <string>/usr/sbin/httpd-wrapper</string>

    322              <string>-D</string>

    323              <string>FOREGROUND</string>

    324          </array>

    325          <key>OnDemand</key>

    326          <false/>

    327      </dict>

    328      </plist>

    329

    330  Contents of Library/LaunchAgents/com.apple.FolderActions.folders.plist

    331      -    mod date: Jan 11 01:59:40 2015

    332      -    size (B): 517

    333      -    checksum: 1189540302

    334

    335      <?xml version="1.0" encoding="UTF-8"?>

    336      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    337      <plist version="1.0">

    338      <dict>

    339          <key>Label</key>

    340          <string>com.apple.FolderActions.folders</string>

    341          <key>Program</key>

    342          <string>/usr/bin/osascript</string>

    343          <key>ProgramArguments</key>

    344          <array>

    345              <string>osascript</string>

    346              <string>-e</string>

    347              <string>tell application "Folder Actions Dispatcher" to tick</string>

    348          </array>

    349          <key>WatchPaths</key>

    350          <array/>

    351      </dict>

    352      </plist>

    353

    354  Unreadable plists

    355

    356      /Library/Preferences/com.epson.Epson Scanner ICA Driver.UnInstallList.plist

    357

    358  User login items

    359

    360      iTunesHelper

    361      -    /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

    362      VMware Fusion Start Menu

    363      -    /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Start Menu.app

    364

    365  iCloud errors

    366

    367      cloudd    672

    368      Finder    26

    369      bird    24

    370      ClamXav    11

    371      Spotlight    1

    372      CallHistorySyncHelper    1

    373

    374  Continuity errors

    375

    376      sharingd    818

    377

    378  Restrictive permissions: 7

    379

    380  Lockfiles: 6

    381

    382  Global prefs (user)

    383

    384      "HEWLETT-PACKARD DESKJET 1220C" = 1

    385

    386  Extensions

    387

    388      /Library/Extensions/[FIREWALL].kext

    389      -    [FIREWALL]

    390      -    [FIREWALL]

    391

    392  Applications

    393

    394      /Applications/DetectX.app

    395      -    com.sqwarq.DetectX

    396      -    Philip Stokes (MAJ5XBJSG3)

    397      /Applications/Malwarebytes Anti-Malware.app

    398      -    com.malwarebytes.antimalware

    399      -    Malwarebytes Corporation (GVZRY6KDKR)

    400

    401  Frameworks

    402

    403      /Library/Frameworks/Adlm.framework

    404      -    com.autodesk.adlmfmwk

    405

    406  PrefPane

    407

    408      /Library/PreferencePanes/Flash Player.prefPane

    409      -    com.adobe.flashplayerpreferences

    410      /Library/PreferencePanes/Tuxera NTFS.prefPane

    411      -    com.tuxera.ntfs.mac.prefpane

    412

    413  Bundles

    414

    415      /Library/Internet Plug-Ins/DirectorShockwave.plugin

    416      -    com.adobe.director.shockwave.pluginshim

    417      -    Adobe Systems, Inc.

    418      /Library/Internet Plug-Ins/Flash Player.plugin

    419      -    com.macromedia.Flash Player.plugin

    420      -    Adobe Systems, Inc.

    421      /Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin

    422      -    com.microsoft.officelive.browserplugin

    423      /Library/Internet Plug-Ins/Quartz Composer.webplugin

    424      -    com.apple.QuartzComposer.webplugin

    425      -    Software Signing

    426      /System/Library/Filesystems/fusefs_txantfs.fs

    427      -    com.tuxera.filesystems.util.fusefs_txantfs

    428      /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle

    429      -    com.skype.skypeabdialer

    430      /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle

    431      -    com.skype.skypeabsms

    432

    433  Bundles (new)

    434

    435      /Applications/DetectX.app

    436      -    com.sqwarq.DetectX

    437      -    Philip Stokes (MAJ5XBJSG3)

    438      /Applications/Malwarebytes Anti-Malware.app

    439      -    com.malwarebytes.antimalware

    440      -    Malwarebytes Corporation (GVZRY6KDKR)

    441

    442  Library paths

    443

    444      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libKQOAuthAdlm.dylib

    445      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtCoreAdlm.4.dylib

    446      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtGuiAdlm.4.dylib

    447      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtNetworkAdlm.4.dyl ib

    448      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtScriptAdlm.4.dyli b

    449      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtWebKitAdlm.4.dyli b

    450      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libQtXmlAdlm.4.dylib

    451      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libRegisterToday.dylib

    452      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmO2Services.dyli b

    453      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmPIT.dylib

    454      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact.dylib

    455      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmact_libFNP.dyli b

    456      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmcascade.dylib

    457      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmerrorLog.dylib

    458      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libadlmutil.dylib

    459      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase.dylib

    460      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmubase_std.dylib

    461      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmumain.dylib

    462      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe.dylib

    463      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmupipe_std.dylib

    464      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/liblmuui.dylib

    465      /Library/Frameworks/Adlm.framework/Versions/9a/Libraries/libphononAdlm.4.dylib

    466      /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.1/libgmpopenh264.dy lib

    467      /Users/USER/Library/Application Support/Firefox/Profiles/r65sokqu.default/gmp-gmpopenh264/1.5.3/libgmpopenh264. dylib

    468      /usr/local/clamXav/lib/libclamav.7.dylib

    469      /usr/local/clamXav/lib/libclamunrar.7.dylib

    470      /usr/local/clamXav/lib/libpcre.1.dylib

    471      /usr/local/clamXav/lib/libpcre16.0.dylib

    472      /usr/local/clamXav/lib/libpcre32.0.dylib

    473      /usr/local/clamXav/lib/libpcrecpp.0.dylib

    474      /usr/local/clamXav/lib/libpcreposix.0.dylib

    475

    476  App extensions

    477

    478      uk.co.canimaansoftware.clamxav.ClamXav-Latest

    479

    480  Modifications

    481

    482      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso

    483      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/darwin.iso.sig

    484      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso

    485      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/freebsd.iso.sig

    486      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso

    487      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso.sig

    488      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso

    489      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/netware.iso.sig

    490      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso

    491      file added: /Applications/VMware Fusion.app/Contents/Library/isoimages/solaris.iso.sig

    492      ...

    493

    494  Signatures

    495

    496      /System/Library/Accounts/Notification/CloudDocsAccountNotificationPlugin.bundle : bundle format unrecognized, invalid, or unsuitable

    497      /System/Library/Extensions/hp_io_enabler_compound.kext: Hewlett Packard (6HB5Y2QTA3)

    498      /System/Library/Frameworks/CoreTelephony.framework: bundle format unrecognized, invalid, or unsuitable

    499      /System/Library/PrivateFrameworks/GPUSupport.framework: bundle format unrecognized, invalid, or unsuitable

    500

    501  Installations

    502

    503      ClamXav Scanning Engine v0.99 update 4: 05/04/2016 16:59

    504      Adobe Flash Player: 20/02/2016 23:04

    505      Adobe Flash Player: 31/12/2015 17:45

    506      Adobe Flash Player: 24/11/2015 19:36

    507      Adobe Flash Player: 24/10/2015 18:29

    508

    509  Elapsed time (sec): 557

  • by Shawody,

    Shawody Shawody Apr 6, 2016 3:42 AM in response to Shawody
    Level 1 (4 points)
    Apr 6, 2016 3:42 AM in response to Shawody

    Some additional info:

     

    - I've disconnected everything from my network and connected that mac online, ran the test and uploaded it here. I was not comfortable with sharing a USB drive with a healthy machine.

     

    - Malwarebytes, DetectX and ClamXav/ClamAV were installed after it was infected to find possible traces. However, they're all trial versions, and Malwarebytes and DetectX seem to scan system in a second, which looks fishy to me. ClamXav on the other hand doesn't allow me to select any other folder than User folder, as if I try to add something else, I just get spinning wheel, and nothing happens even after minutes of waiting. User folder came out supposedly clean.

     

    - I've just noticed in the Console I keep getting CoreData Error and ReportCrash on a second by second basis. It keeps saying there is an illegal attempt to save to a file that was never opened.

  • by Shawody,

    Shawody Shawody Apr 6, 2016 4:26 AM in response to Shawody
    Level 1 (4 points)
    Apr 6, 2016 4:26 AM in response to Shawody

    Also let me know if you need any other info. And please bear in mind, that machine does have VMWare fusion and Windows 8.1 installed...however, as mentioned before none of Windows folders have been encrypted.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 6, 2016 6:00 AM in response to Shawody
    Level 10 (207,926 points)
    Applications
    Apr 6, 2016 6:00 AM in response to Shawody

    You removed some non-personal details that would be needed for a full evaluation of the output, but that doesn't matter as far as the original question is concerned. There's no evidence of malware, known or unknown. I think the security breach was caused by virtualized Windows malware with access to the host filesystem. The same thing has happened to others. I don't know why guest files were not affected. Maybe they were protected by something running on the guest system.


    I also think that a Windows guest should not be given read-write access to the user's whole home folder on the host. I don't see the point of that, and the risks are obvious.

     

    If you don't agree with me, you should erase the startup volume, reinstall OS X, and restore only documents from a backup. All third-party software (not including useless items such as "anti-malware" and "security" products) should be reinstalled from original media or fresh downloads.

  • by Shawody,

    Shawody Shawody Apr 6, 2016 6:20 AM in response to Linc Davis
    Level 1 (4 points)
    Apr 6, 2016 6:20 AM in response to Linc Davis

    Hi Linc,

     

    Thanks for getting back to me. What I removed and put into square brackets, like this: [FIREWALL] is all one and the same application. It is my firewall for internal and external connections. The only other info I removed was the serials for my harddrives, I left the brands. As you can see, I haven't messed with line numbers or anything like that.

     

    I value your point, however, I don't remember giving VMWare read-write to the whole User home folder. It was merely some shared folders. Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?

     

    I was planning to do a complete wipe and fresh install anyways, purely out of concern that I don't know when and how this malware/ransomware got onto system. I was hoping that with some help I might find those details out, so I could know if I can still rescue some of the non-encrypted files. And also what troubled me is why only Mac folders were affected and especially those in Library/Containers, but as it seems like I'm not going to find more answers, it will all have to go...unless you have any other solution/tip/suggestion? :/

  • by Shawody,

    Shawody Shawody Apr 6, 2016 6:23 AM in response to Linc Davis
    Level 1 (4 points)
    Apr 6, 2016 6:23 AM in response to Linc Davis

    Regarding Malware and AV apps I kinda agree with you...and as I said, they were only installed afterwards to check for possible traces. However, that didn't really happen...so they were useless, and they won't be installed again.

     

    Another thing that I found out during my research was that even if you had it installed, if it is a new version roaming around, they'd not catch it...unless the databases have been updated for that specific threat. So mostly lose-lose situation.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 6, 2016 6:47 AM in response to Shawody
    Level 10 (207,926 points)
    Applications
    Apr 6, 2016 6:47 AM in response to Shawody

    Is there a way you would recommend setting VMWare, so that both Win and Mac can have access to necessary folders, while still protecting Users home folder?

    The only reason I can see for allowing a VM access to the host filesystem is so that you can move files between it and the guest. For that purpose all you need is a single folder. It should be used for temporary storage only. Windows can't do anything useful with your permanent OS X library files. All it can do is destroy them.

  • by Shawody,

    Shawody Shawody Apr 6, 2016 9:33 AM in response to Linc Davis
    Level 1 (4 points)
    Apr 6, 2016 9:33 AM in response to Linc Davis

    What would you recommend to do when you need one file to be accessible to both all the time, as it is synced to Google Drive? Is there a middle ground, or would you need to run two separate Google Drive clients...one on Mac and the other on Win platform in order to avoid Windows having too much access?

  • by Kurt Lang,

    Kurt Lang Kurt Lang Apr 6, 2016 9:57 AM in response to Shawody
    Level 8 (37,681 points)
    Apr 6, 2016 9:57 AM in response to Shawody

    Typically, VMs allow the host OS to see USB drives. So you could format a 16 GB (or whatever size you need) flash drive as FAT32 or exFAT. Put the files from the Mac onto the drive. In the VM, the flash drive should appear as a mountable drive without having any other type of access to OS X. It can also of course be used in reverse. Put files from Windows onto the USB drive and dismount it. Pull the files off the drive from OS X.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 6, 2016 10:16 AM in response to Shawody
    Level 10 (207,926 points)
    Applications
    Apr 6, 2016 10:16 AM in response to Shawody

    would you need to run two separate Google Drive clients...one on Mac and the other on Win platform

    I see no reason not to do that. But don't forget: if Windows malware destroys cloud data, all clients that access the same data will be affected.

  • by Shawody,

    Shawody Shawody Apr 6, 2016 10:28 AM in response to Kurt Lang
    Level 1 (4 points)
    Apr 6, 2016 10:28 AM in response to Kurt Lang

    This is going to be fun to explain to my friend. :/

     

    *sarcasm*

    Yes you can work side by side, but no, you can't see the files. You have to copy/paste onto the USB drive, then eject the drive, plug it back in and enable it in Windows. Do your work, save it back to the USB drive, eject it and reconnect it in Mac and save the file to where it was.

    *sarcasm*

Previous Page 2 of 4 last Next