Remove Malware/Virus from Backups.backupdb (TimeMachine)
Hello,
I have Spyware, Trojan and a keylogger on my system in a circle loop that gets moved back to each computer that my login is attached- I think it's from Apple automatically synchronization however I'm not an expert.
So, now, I am sharing a conundrum. I have back-up drives, local system files and server-side mail synchronization files that are Trojan/Malware/Bad-Guys that automatically get placed onto new OS Installations and new computers when synchronizing- I think that's when it happens... Below this is a complete detail of what's happening in hopes that a MR. LINC DAVIS sees or anyone else sees and can help. Currently, each machine is open, on, has Sophos on with the log open, Every file that could not be quarantined with Sophos is opened and on the desktop waiting for me to figure out how to remove them. Each enclosed folder that has Trojan/Spyware/Keylogger file on the USB-connected drive is open in it's own finder window awaiting instructions - I'd really like the best, Linc Davis to perhaps advise using terminal however anyone whom understands these systems, please help, I follow instructions very well--- Perhaps a unique method for synchronization capturing the file and isolating it with Automator or something? Perhaps using the log files of Sophos? Can it be done when encountering "Error -8058" unable to remove manually in folder-view? Anyway, here is what's going on....
Hardware & Fresh OS X version
Macbook Pro (late 2011, 17-Inch), OS X Yosemite
Macbook Pro (late 2012, 15-inch), OS X Mavericks
Macbook Pro (late 2013, 15-inch), OS X Yosemite
iMac 27-inch (late 2013), OS X Yosemite
My user profile is ADMINISTRATOR, Group is Admin
My user profile is: "OWNER" for the Macbook Pros
When the 17-inch crashed, hard, I scanned each system, backed-up/cloned then erased hard drives and installed OS & Software
If the software is important to be known, I'll post it - Mostly well-known brands and all are professional software.
Setting up the legacy software applications onto these macs takes days and alot of finesse, when I wiped and installed the OS X (per computer, within the recent 3 weeks), I thought I was protected from every spyware/trojan/virus completely protected from embedding into any of these fine-operating computers.
I had problems getting Sophos to run properly for a long time until I tried it last week, Sophos finally works well with Mavericks and Yosemite, so, I'm using it, it's the best (in my opinion)
I ran Sophos a week ago, Sophos found 44 issues and these OS/Software installations (and preferences-setup) took an extremely long time --- occurred during May 28-30, 2015 and June 12-14, 2015) -
Removing the local file is troublesome for the MAIL folders because MAIL gets corrupted and won't work completely or works as though it has pieces and parts missing. Even with Spam Assassin and Box Trapper and firewalls/anti-virus --- with all the tools enabled to protect, the malware and trojans/keyloggers are on my computer, found by Sophos, verified by various souces online--- my research.
The Problem which brought me here: Sophos found a conundrum:
Sophos found malware & several trojans on USB backup volumes (1, 2, 2 & 4TB) used as TimeMachine Backup Drives AND 1 4TB drive used as TIme Machine Backup AND has 1 folder which I drag/drop storage for storage.
Issue is related to items within these Backup Volumes (backups.backupdb/Name/Date/Macintosh HD/....) and Mail folders local/server & backup. Here's how I ended up here...
I'm running newly installed Sophos
Previously, I used Apple provided virus removals, ClamXav & MacScan in Authentication mode -which never found these issues
--- Sophos found known malware, trojans & keyloggers in various archive formats, mostly zip, however some of them are in "htm" format and other formats (rar/exe) located in timemachine Backup volumes---
Sophos was scheduled to scan LOCAL computers during dark morning hours, every day. The malware is found on the connected volumes and they are located (all but 4 files) in various email folders as an email, an "htm' file, or an attachment item in an email folder, on all computers with my login, all backups, server-side sync also brings these to the computer.
Sophos tried to "Deny Access" "Clean Up" and "Delete" however these actions failed (OS X Yosemite & Mavericks). I believe the failure is from permissions on the backup volumes- It has to be.... I think Special Owner or special admin user permissions are required to EDIT/DELETE the precise file?
Timeline of events that Add Up PLUS Credentials: User, Admin, Owner
I am administrator and "owner" however Error -8058 unable to remove, manually. I suspect that is user/admin permissions built into Mavericks and Yosemite.
Mavericks
I installed Mavericks when it came out, Computers began having problems which seemed to be related to the OS. ALL SOFTWARE CONSTANTLY CRASHED ! WITHOUT WARNING ! that still happens... Adobe & Apple...
The Macbook Pro 17-Inch began crashing, HARD, after Mavericks was installed.
After a while, the hard drives on 3 computers began to go out, were replaced, then strange graphics, not able to login, then self corrected- graphics oddness happening on all computers with my Apple login- I must be crazy ! Nooooo.
Then flickering and funky-ness on the iMac & 17-Inch - Mavericks, right?
then slower than usual iMac, laptops, strange graphics, boot up time was forever, the heat was INTENSE, I couldn't have them on my lap. The OS was the culprit, maybe not !
Batteries replaced - too hot maybe?,
Then, Lots of heat and another 2 hard drives,
Then, Memory on two computers got "corrupted", Apple removed the memory and replaced it (These are warranty!) -
Yosemite
Next, Upgrade to Yosemite then many months later, drained battery, software constantly crashed, I thought this was the OS X Yosemite and I am partly correct however, now, the Logic Board had to be replaced, the memory had to be replaced, as well.
WOW! Super heat, Super Slow and parts dying as if they were knock-off or something- I don't know how to explain it, I haven't had issues like this before
The 17-inch memory caused the laptop not to boot up... Apple replaced the memory - I mean!!! I'm not that intense with software however the software I use are each massive installs, intense on the computers, graphically intense, processor dependent, you get the picture- This can be rationalized, especially when other people are having OS X issues that sound similar to what I'm dealing with...
Hard drive on iMac & 15-Inch goes "bad"- Replaced,
Then, Logic Board goes out on a Warranty - 2 years of use Laptop ! WHAT???
I do keep the virus protection going, firewalls up- not using vault...
All the while, I keep another iMac and Macbook not signed in to iCloud and not using the Mail App. They are fine, just replaced hard drives, they are "normal" - I now call them "Controls"
My main computer is the 17-inch- it has the most amount of warranty work...
I install Sophos- It wouldn't work on Mavericks so I used other software until I tried it 3 weeks ago in preparation of the 5K iMac that I custom built to its' maximum potential, I want to ensure it has no issues!
Sophos found some items that are concerning....
Coincidentally, after removing some trojans found by Sophos --- 2 weeks ago --- a much-used, remotely-connected web-server's main www webroot folder located in the Finder's Sidebar had it's server-side contents completely removed, the entire website's www web root FOLDER ON THE SERVER WAS GONE! No logged info, No trace of how- just gone. The hosting company for this server is a registrar, they are asking me to find out Why/How the Macbook Pro 17-Inch crashed, the cause of the crash is requested- Apple didn't provide this information, they currently have the 17-inch to complete items they missed so I do not have the physical 17-inch Macbook Pro, I have it's cloned drive while Apple works on the computer.
History on Backup volumes
One of the email addresses for a company began receiving lots of SPAM and just plain JUNK - all of the sudden and lasted the span of 3 months before I took over the server from the IT Department and corrected it.
I took over the email server for the company, moved the data to my reseller account, set-up Spam Assassin and Box Trapper plus custom-port SSL, that mail is now secure "IN TRANSMISSION" however the emails contained within these email accounts synchronized, I guess synchronizing by way of Macintosh automatically sync settings/data with clients/servers - esp. mail - extremely Important data, though, 44 files within that vast amount of data are indeed malware/trojan/xyz-bad.
After moving the server, cleaning up local machines of Malware, Trojans, etcetera, AND creating NEW backups, Sophos was installed and is finding threats on the cleaned backups that Apple nor ClamXav nor MacScan found, these are clearly trojan and keylogger- I looked up a few, randomly, plain as day! Baaaaad guys.
What Can Be Done and How?
Local,
Server-Mail
USB-external backup volumes
Now that Sophos is running and finding these fresh OS installations - I guess by Apple automatically synchronizing settings and mail (Off now, for the time being), plus, another Macbook 15-Inch is stripped down and not using mail, Sophos found these in a couple of library folders.
-------------------------------------------------------
When I have a method to correct, I'll apply to the remaining devices, below:
iMac 27 OS X Yosemite (Late 2013)
iMac 27 5K (ordered with every option) - (Mid 2015) OS X Yosemite
Macbook Pro OS X Mountain Lion (late 2009)
Macbook Air OS X Mountain Lion (Early 2013)
iMac OS X Snow Leopard (late 2008)
Time Capsules from 2010, 2012, 2013 most likely have these same issues, I turned them offline until I can figure this out.
Thank you in advance:
David
MacBook Pro, OS X Yosemite (10.10.3), Non-Retina, SSD