Remove Malware/Virus from Backups.backupdb (TimeMachine)

Question

Level 1

18 points

Remove Malware/Virus from Backups.backupdb (TimeMachine)

Hello,

I have Spyware, Trojan and a keylogger on my system in a circle loop that gets moved back to each computer that my login is attached- I think it's from Apple automatically synchronization however I'm not an expert.

So, now, I am sharing a conundrum. I have back-up drives, local system files and server-side mail synchronization files that are Trojan/Malware/Bad-Guys that automatically get placed onto new OS Installations and new computers when synchronizing- I think that's when it happens... Below this is a complete detail of what's happening in hopes that a MR. LINC DAVIS sees or anyone else sees and can help. Currently, each machine is open, on, has Sophos on with the log open, Every file that could not be quarantined with Sophos is opened and on the desktop waiting for me to figure out how to remove them. Each enclosed folder that has Trojan/Spyware/Keylogger file on the USB-connected drive is open in it's own finder window awaiting instructions - I'd really like the best, Linc Davis to perhaps advise using terminal however anyone whom understands these systems, please help, I follow instructions very well--- Perhaps a unique method for synchronization capturing the file and isolating it with Automator or something? Perhaps using the log files of Sophos? Can it be done when encountering "Error -8058" unable to remove manually in folder-view? Anyway, here is what's going on....

Hardware & Fresh OS X version

Macbook Pro (late 2011, 17-Inch), OS X Yosemite

Macbook Pro (late 2012, 15-inch), OS X Mavericks

Macbook Pro (late 2013, 15-inch), OS X Yosemite

iMac 27-inch (late 2013), OS X Yosemite

My user profile is ADMINISTRATOR, Group is Admin

My user profile is: "OWNER" for the Macbook Pros

When the 17-inch crashed, hard, I scanned each system, backed-up/cloned then erased hard drives and installed OS & Software

If the software is important to be known, I'll post it - Mostly well-known brands and all are professional software.

Setting up the legacy software applications onto these macs takes days and alot of finesse, when I wiped and installed the OS X (per computer, within the recent 3 weeks), I thought I was protected from every spyware/trojan/virus completely protected from embedding into any of these fine-operating computers.

I had problems getting Sophos to run properly for a long time until I tried it last week, Sophos finally works well with Mavericks and Yosemite, so, I'm using it, it's the best (in my opinion)

I ran Sophos a week ago, Sophos found 44 issues and these OS/Software installations (and preferences-setup) took an extremely long time --- occurred during May 28-30, 2015 and June 12-14, 2015) -

Removing the local file is troublesome for the MAIL folders because MAIL gets corrupted and won't work completely or works as though it has pieces and parts missing. Even with Spam Assassin and Box Trapper and firewalls/anti-virus --- with all the tools enabled to protect, the malware and trojans/keyloggers are on my computer, found by Sophos, verified by various souces online--- my research.

The Problem which brought me here: Sophos found a conundrum:

Sophos found malware & several trojans on USB backup volumes (1, 2, 2 & 4TB) used as TimeMachine Backup Drives AND 1 4TB drive used as TIme Machine Backup AND has 1 folder which I drag/drop storage for storage.

Issue is related to items within these Backup Volumes (backups.backupdb/Name/Date/Macintosh HD/....) and Mail folders local/server & backup. Here's how I ended up here...

I'm running newly installed Sophos

Previously, I used Apple provided virus removals, ClamXav & MacScan in Authentication mode -which never found these issues

--- Sophos found known malware, trojans & keyloggers in various archive formats, mostly zip, however some of them are in "htm" format and other formats (rar/exe) located in timemachine Backup volumes---

Sophos was scheduled to scan LOCAL computers during dark morning hours, every day. The malware is found on the connected volumes and they are located (all but 4 files) in various email folders as an email, an "htm' file, or an attachment item in an email folder, on all computers with my login, all backups, server-side sync also brings these to the computer.

Sophos tried to "Deny Access" "Clean Up" and "Delete" however these actions failed (OS X Yosemite & Mavericks). I believe the failure is from permissions on the backup volumes- It has to be.... I think Special Owner or special admin user permissions are required to EDIT/DELETE the precise file?

Timeline of events that Add Up PLUS Credentials: User, Admin, Owner

I am administrator and "owner" however Error -8058 unable to remove, manually. I suspect that is user/admin permissions built into Mavericks and Yosemite.

Mavericks

I installed Mavericks when it came out, Computers began having problems which seemed to be related to the OS. ALL SOFTWARE CONSTANTLY CRASHED ! WITHOUT WARNING ! that still happens... Adobe & Apple...

The Macbook Pro 17-Inch began crashing, HARD, after Mavericks was installed.

After a while, the hard drives on 3 computers began to go out, were replaced, then strange graphics, not able to login, then self corrected- graphics oddness happening on all computers with my Apple login- I must be crazy ! Nooooo.

Then flickering and funky-ness on the iMac & 17-Inch - Mavericks, right?

then slower than usual iMac, laptops, strange graphics, boot up time was forever, the heat was INTENSE, I couldn't have them on my lap. The OS was the culprit, maybe not !

Batteries replaced - too hot maybe?,

Then, Lots of heat and another 2 hard drives,

Then, Memory on two computers got "corrupted", Apple removed the memory and replaced it (These are warranty!) -

Yosemite

Next, Upgrade to Yosemite then many months later, drained battery, software constantly crashed, I thought this was the OS X Yosemite and I am partly correct however, now, the Logic Board had to be replaced, the memory had to be replaced, as well.

WOW! Super heat, Super Slow and parts dying as if they were knock-off or something- I don't know how to explain it, I haven't had issues like this before

The 17-inch memory caused the laptop not to boot up... Apple replaced the memory - I mean!!! I'm not that intense with software however the software I use are each massive installs, intense on the computers, graphically intense, processor dependent, you get the picture- This can be rationalized, especially when other people are having OS X issues that sound similar to what I'm dealing with...

Hard drive on iMac & 15-Inch goes "bad"- Replaced,

Then, Logic Board goes out on a Warranty - 2 years of use Laptop ! WHAT???

I do keep the virus protection going, firewalls up- not using vault...

All the while, I keep another iMac and Macbook not signed in to iCloud and not using the Mail App. They are fine, just replaced hard drives, they are "normal" - I now call them "Controls"

My main computer is the 17-inch- it has the most amount of warranty work...

I install Sophos- It wouldn't work on Mavericks so I used other software until I tried it 3 weeks ago in preparation of the 5K iMac that I custom built to its' maximum potential, I want to ensure it has no issues!

Sophos found some items that are concerning....

Coincidentally, after removing some trojans found by Sophos --- 2 weeks ago --- a much-used, remotely-connected web-server's main www webroot folder located in the Finder's Sidebar had it's server-side contents completely removed, the entire website's www web root FOLDER ON THE SERVER WAS GONE! No logged info, No trace of how- just gone. The hosting company for this server is a registrar, they are asking me to find out Why/How the Macbook Pro 17-Inch crashed, the cause of the crash is requested- Apple didn't provide this information, they currently have the 17-inch to complete items they missed so I do not have the physical 17-inch Macbook Pro, I have it's cloned drive while Apple works on the computer.

History on Backup volumes

One of the email addresses for a company began receiving lots of SPAM and just plain JUNK - all of the sudden and lasted the span of 3 months before I took over the server from the IT Department and corrected it.

I took over the email server for the company, moved the data to my reseller account, set-up Spam Assassin and Box Trapper plus custom-port SSL, that mail is now secure "IN TRANSMISSION" however the emails contained within these email accounts synchronized, I guess synchronizing by way of Macintosh automatically sync settings/data with clients/servers - esp. mail - extremely Important data, though, 44 files within that vast amount of data are indeed malware/trojan/xyz-bad.

After moving the server, cleaning up local machines of Malware, Trojans, etcetera, AND creating NEW backups, Sophos was installed and is finding threats on the cleaned backups that Apple nor ClamXav nor MacScan found, these are clearly trojan and keylogger- I looked up a few, randomly, plain as day! Baaaaad guys.

What Can Be Done and How?

Local,

Server-Mail
USB-external backup volumes

Now that Sophos is running and finding these fresh OS installations - I guess by Apple automatically synchronizing settings and mail (Off now, for the time being), plus, another Macbook 15-Inch is stripped down and not using mail, Sophos found these in a couple of library folders.

-------------------------------------------------------

When I have a method to correct, I'll apply to the remaining devices, below:

iMac 27 OS X Yosemite (Late 2013)

iMac 27 5K (ordered with every option) - (Mid 2015) OS X Yosemite

Macbook Pro OS X Mountain Lion (late 2009)

Macbook Air OS X Mountain Lion (Early 2013)

iMac OS X Snow Leopard (late 2008)

Time Capsules from 2010, 2012, 2013 most likely have these same issues, I turned them offline until I can figure this out.

Thank you in advance:

David

MacBook Pro, OS X Yosemite (10.10.3), Non-Retina, SSD

Posted on Jun 16, 2015 11:04 AM

Reply

Answer 1

Best reply

Kurt Lang

Level 9

58,404 points

Jun 16, 2015 11:47 AM in response to VoilaMagic

It's difficult to even know where to start with how badly you've mangled your system with garbage software (read, any AV software) and who knows what else you've inflicted your Macs with. I also question how you would even know if you have a keylogger or spyware. Such software will do everything it can to hide itself from the user.

As far as Sophos goes, it's pretty much a 100% guarantee it found Windows only malware in email attachments. If anything is on your Time Machine backups, just don't restore anything from them when you setup your Mac. Anything on a TM backup cannot in any way install itself back to any Mac. YOU have to do that.

What I would do:

1) If you think something is on that particular flash drive, why do you keep plugging it in? Besides the fact there is no Mac malware that can self launch or load itself merely by plugging a drive in. Just format it with Disk Utility. Done.

2) Manually backup your personal data to another drive. Your Word documents, email database, photos, etc. To make sure you can manually copy anything back after the following steps, use Disk Utility to create a .dmg image of the entire drive to an external drive.

3) Boot into Recovery Mode by restarting and holding down Command+R. Launch Disk Utility first and erase the main drive. Then reinstall OS X.

4) Reinstall your third party apps from their original disks or purchased downloads. DO NOT restore anything from any TM backup.

5) Manually copy your personal data back onto the drive from step 1.

6) Do not install any AV software. It is all useless junk. Do not install other complete garbage software such as MacKeeper, CleanMyMac, etc.

Reply

Answer 2

VoilaMagic Author

Level 1

18 points

Jun 16, 2015 3:53 PM in response to Kurt Lang

How do I delete 44 files in the time machine backups without removing all of the time machine data ? That's the question here. Also, Is it possible that these "threats" have caused this much damage & how do I remove the synchronized mail items which contain malware/trojans/virus when I remove from local, tell server to delete and it sync's back and appears again?

Thank you for your reply. I require the data from the folders, particularly the data within the mail folders, and that's where majority of the Sophos "threats" are located, please see attached image. Do you know how to remove a file from within a folder inside a time machine backup? I can see the file, I don't have permission to remove it. That's what I must accomplish here. I am mindful of space, pay attention to detail and am particularly mindful when the subject matter is software installation onto my computers. Perhaps software you do not need or otherwise think of as "trash" or "garbage" is software that I, infact, do require to complete my work as well as play.

Every application installed onto my computers is done so by me and me only. If the App store does not carry the application, I locate the vendor's website, read/research prior to even thinking about downloading and installing. If said App is not in the App Store, I wonder why so when the occasion does arise whereas I want to proceed with installation of an App, I do so by visiting the vendor's main corporate website and download directly from them. Take for instance FireFox Developer Browser; it is not available in the App store however Mozilla does allow verified developers to download the browser from their website although that same browser might be located on sharing websites or peer to peer sh tunnels, that, Kurt, is considered "trash" or "garbage" to me, although you may think otherwise.

Regardless, How did I mangle the computer's software? The timeline written in the original post spans years between 2008/9 - June 2015, and I'm pointing out that during that time, I've had 1 instance of email spam/hackery-possibly (I don't know) once and upgraded the Operating System to Mavericks (problems began) then Yosemite (Even costlier problems) however I am not sure that the OS is to blame... the times when I've had to take the computers in for repairs began with Mavericks and Yosemite, prior to that, I never had a computer problem that had to be handled by Apple or that had to be taken in to the Apple store.

If it is not OS, which I hope that's not the case because I rely on this OS, then it has to be the files that Sophos found, there were quite a bit, as I said. In the screen shot, you'll see some of the "threats", look at the dates, mostly 2014 in this window- that means, all of the virus protection, including the paid Intego protection, did not catch any of these for a very long time. I think some malice has gone on- though I do not believe a physical human typed on my computers at all, I think it's code... from email most likely- how these could be on there for so long is beyond me- one of the many antivirus Plus Apple's tools, something else should have caught these.

If I have an incorrect method for installation and use of software, I must know and be told, I've worked like this for almost a decade. I'd have to start over with how I install and set-up new computers, now is the time, I don't want any of this getting inside the 5K masterpiece.

I don't install software from time machine backups, I tried that a very long time ago --- between 2006 - 2009 ish--- when I first began using a mac as a primary computer, it didn't work so well. I erased the hard drive, used the Time Machine to select a window to, what I thought was an ingenious idea, begin working on the computer as if nothing had occurred, picking up where I left off in that moment, from that time machine back-up. That was so not the case, it was, in it's stead, a GUI for manual backups- I didn't see the need until I found that Apple doesn't allow access to most of the system. To say the least, I spent the next few days trying to find software and key codes and trying to login to webmail to find a software purchase date- that was not fun and I lost quite a bit of work along the way, lost software because to minimize fossil fuel, I decided to not get physical copies of software, only digital and since I could not retrieve, at that time, it was gone.

After that learning curve, I decided to never rely on Apple for software backups, only text information and email data. Now, I may not be able to use Time Machine for any of it, really... certainly not software.

I do stash items in folders on specific dates, use time machine to back everything up then delete the data locally, whenever I require that data, I open time machine and bring folders back from that time. That's about it, that and email... It helps with space, somewhat.

I also use hubs, for space, I'm using an Elgato Thunderbolt hub, when I connected the hub to the computer, the graphics began doing something new, I also saw red and white pinstripes on the display, Apple said it sounds like a graphics card. Apparently, the logic board began giving problems during the same time as I began using the thunderbolt hub, I was using a USB hub prior to that, perhaps that is coincidence?

I don't know what the logic board does --- I'll google it when I have time.

What I'm trying to say is I'm mindful of space, minimalism is important to me. I'm very anal retentive about non-apple-verified anything being in any of the computers under my control -- actually, I'm the definition of anal retentive --- especially with security, I keep the firewall up and I don't add additional firewalls, I follow Apple's rules. When these "threats" were found, I couldn't believe it and it got me thinking, what if the issues I'm encountering were caused by these "threats"?

I'll share just how I set-up a new computer, this is what I did last week;

After Operating System and updates to OS, this is the order --- perhaps I should Target Disk Mode and reformat the drive prior to installation;

1) Install software from CDs using pass key:

Adobe Master Suite CS6 - set up and preferences takes a while -

Final Cut Studio (FCP7, Motion, Soundtrack, etcetera- Preferences & set-up, for me, this takes a long time)

Logic Pro (same as Final Cut, preferences & set up takes a while)

2) Install software from App store:

Apple Remote Desktop

Final Cut Pro X, Motion, and Compressor (the updated version of studio has some features I use)

Server.app

Xcode

etcetera ... Applications that I use often... App store, like Microsoft, Quicktime 7,

3. Installation from Vendors (Third Parties, not in the App Store)

Adobe Creative Cloud (Complete)

Brother & Samsung Printers

Chrome browser

Firefox Developer browser

Opera browser

4. Non-Apple Developer-Signed Software Outside of the App Store that I use Often! Perhaps I shouldn't use these?

MAMP Pro

MySQL Workbench

Cyber Duck

Fetch

Stuffit

Toast

I use "Drive Genius 4" for cloning - It's superior to Carbon Copy Cloner in my experience.

Not in App Store or Not Recognized Signature are:

iCADMac

OmniGraffle Professional

Silverlight

That's the list of every software I install. Then, I go through and do settings and preferences on each one, which takes a very long time as they have to be typed for different customizations to the software, etceteras...

There is not another application on my system other than what you see and what ever came with the computer.

If this is mangled, if I have too many applications, I do need to know, and I thank you for pointing it out.

The only software that has "AV" in it is ClamXav, which is no longer on any of my computers since Sophos is working. ClamXav is from the App store a: https://itunes.apple.com/us/app/clamxav/id430207028?mt=12

Even though it is not on my computer, I don't think it would be in the App store if it harmed a computer.

The list is pretty straight forward for a video/graphics/web person.

I think something in particular is on the server and on the computers email, including icloud.com email- one is inside that folder as well. I can remove locally, it gets placed in the local folder when mail is set up and synchronized. I don't know how to get into server side mac. I'm digging into that tonight.

I have all of the windows open so that when someone does know how to remove single files manually from a backup, I'll be able to know exactly where each one is located.

Plus, could any of those be the culprit to all of these brand-new warrantied-mac-break-downs since Mavericks- If so, I'll feel much better.

- David

Reply

Answer 3

Kurt Lang

Level 9

58,404 points

Jun 16, 2015 5:51 PM in response to VoilaMagic

How do I delete 44 files in the time machine backups without removing all of the time machine data?

You don't need to. As I suspected, they're all Windows malware that can't do a thing to your Mac. At least the ones within the file listing are. I can also see they're in .zip files, which are typical for these types of Trojans. It gets them past email filters looking directly for such malware. The Windows user unwittingly opens the attached .zip file and bam!

Beyond that, you can't just manually delete things out of a TM backup. That's a very good way to wreck it. You could do either of these:

1) If you know for a fact there are no older versions of files you need on the TM backup, just erase the drive. Then when TM asks if it can use the drive for backups, say yes.

2) If you do know there are older versions of files you don't want to lose yet, then don't do anything. They're completely harmless to your Mac, and as the backup drive fills up and TM needs space for newer files, it deletes the oldest items on the drive. Eventually, those will also be deleted.

I require the data from the folders, particularly the data within the mail folders, and that's where majority of the Sophos "threats" are located,

If you need to restore those emails, go ahead and do so. When they're back in Mail, delete the attachments carrying the Windows malware. If for no other reason so you don't accidentally forward them to a Windows user.

Perhaps software you do not need or otherwise think of as "trash" or "garbage" is software that I, in fact, do require to complete my work as well as play.

I stand by my comment. All AV software is useless. Especially for a Mac. There has yet to be one actual virus that affects OS X. There are Trojans out there, but they are almost all in the form of extra software added to illegal downloads of commercial software such as Photoshop. It's extremely rare to get any type of Mac Trojan or worm in a email. You will find almost no senior members of these forums who would tell you to install AV software.

Every application installed onto my computers is done so by me and me only. … sharing websites or peer to peer sh tunnels, that, Kurt, is considered "trash" or "garbage" to me, although you may think otherwise.

Then you're ahead of many users who install apps from anywhere. Especially if they think they can get expensive software for "free". Heck, I've seen people post here about stealing a $5 app from a torrent because they were too dang cheap to pay for even something that inexpensive. Hope they got what they deserved. As yourself, I won't touch anything from P2P or torrent sites. That is the number one way crooks get Mac malware installed.

Regardless, How did I mangle the computer's software?

From just Sophos AV software, likely not. It often follows with users we see here that if they install AV software, they also install the worst garbage software available, such as MacKeeper, CleanMyMac, etc. Those are all known to do a bang-up job destroying Mac systems. Glad to hear you're not one of them.

then it has to be the files that Sophos found, there were quite a bit, as I said.

As noted, they're all harmless to you. And if those same files were not found on your main drive, then they're really harmless. You would have to intentionally restore them from the TM backup and then intentionally forward them to Windows users, who will then hate you.

If you work in a mixed environment of Macs and PCs, or deal with other clients using Windows, then you actually should have some sort of AV software. But really, you're just protecting them from getting Windows malware forwarded to them from you. It isn't doing anything for you other than eating up system resources and slowing your Mac down.

Of any AV software for the Mac, the one folks here will recommend is ClamXav. It's the least intrusive one you can get, and it's free.

The only software that has "AV" in it is ClamXav

A bit too literal interpretation of my comment "AV". I wasn't referring to a particular file or product name. It's just the generic abbreviation of Anti Virus.

I keep the firewall up and I don't add additional firewalls

Be aware that firewalls serve only one purpose; keeping snooping losers from getting into your computers from an outside connection. They can't do a thing to stop the user from download and installing malware. I suspect you already know this, but just wanted to note it.

From your list, you do indeed keep a very clean system (as do I). I only install what I need, and only trusted software from known vendors, or shareware titles that have been heavily vetted and approved. If I do try something unknown, I make a full backup first, turn that drive off, then test. If it turns out to be junk, I can then boot to the external and clone back my clean setup.

As a guess, I would suspect Sophos is slowing down your system. Try removing it and use ClamXav instead. Run it manually whenever you want to search your drives. Then it's not sitting in RAM all the time like Sophos. Also, please download and run EtreCheck. Post the results here. It may help the folks here spot items you may want to consider removing from your Mac. EtreCheck is a trusted utility written and maintained by etresoft, another longtime user on these forums.

Reply