Need some help- Hard disk being filled by?

[gatorrock]

Hi Folks-

So after a night of searching the web and reading just about everything out there I’ve decided no one seems to take this problem I am having seriously, but it is something real and I think I’ve got a start to finding it but need some good help. Please note I’m going to post this same message to 3 or 4 forums around the web. I am hoping by the time I am done getting help to come back to any of these threads and update them all so any legit solution can be found for future folks.

Here’s the problem in a nutshell-

At some point on 1-Sep-14 I got a virus or malware program that has hidden itself well within my Mac Book pro. I’ve used used 2 different virus programs (Sophos [business edition] and ClamXav) to scan my computer 4 times. Nothing was ever found. What this awful code does is write to your hard drive until it fills up. And once you delete anything it does it again. But it is very quick- It can fill 2 GB in under 1 min. One at least useful thing is that if you are NOT connected to the internet it does not work.

What I have figured out was by using an app called GrandPerspective you can visualize your entire hard drive. It lets you see how big and how many files you have- more importantly it also tells you what files each block is and where it is located. I have linked out to this pic…

https://www.dropbox.com/s/b33d77vhm7wfk5y/Affected%20file.jpg?dl=0

So basically in this pic for my hard drive you see the giant file in the middle- that is a video of my kid playing on a playground. The problem is the original version of that file is just 122mb, that giant one is 128GB!! And if you look more at that pic you will also see a bunch of greenish blocks in the bottom left. Those are “online backups/gmail” except I don’t back-up gmail and they range from 2 gb to 17 gb which the latter is larger than my gmail account . [I am also having trouble finding these files as they are hidden, but I can ask for help later on that]



So obviously this code takes potentially legit files and hijacks them.

What I need to figure out is how to find this code, isolate it and get help to potentially protect from getting it again.

As for how I got it, I believe it is from visiting a page to download a font that I have never been to before – as that was my only new thing I did yesterday.


So any help would be great. I won’t be here quickly again today as I am very busy and because I can’t access the internet easily since I have to borrow computers for now. But I promise to check back soon.

Cheers

 

[maflynn]

Why do you think its a virus when there are no viruses in the wild for OS X? I'm not saying its not, but if two virus scanners failed to find anything, and there's been no reports of a this sort of malware then its probably not malware but another explanation.

I'm not sure how to read grand perspective I prefer and use OmniDiskSweeper. It will provide a sorted list of what's consuming your space.

Another option which is more comprehensive is to use this terminal command
sudo du -d 1 -x -c -g /

I prefer to redirect it to a text file (this puts it in your Documents folder
sudo du -d 1 -x -c -g / > ~/Documents/du.txt

If you have a movie file that was only 122mb and its now 128gb, there's probably a problem, especially since its under the recovered photo folder. I'd say its more of a corrupted file then anything.

 

[gatorrock]

Ok-

I appreciate the reply and will try the other program later when I can get internet access again.

But I want to state this and I want this VERY clear, drop all your KNOWN prejudices for mac and how grand it is. I've been using Macs since 1992. I'm no newbie and just want to state I at least know my way around macs and PCs pretty well (those I've been on them since the early 80's). I do generally solve the majority of my problems on my own.

I said 'virus or malware'. So PLEASE EVERYONE come at this with an open mind, new stuff gets written on the internet all the time to try and take advantage of flaws. But yes, I may be calling it a wrong name, but what else do you have for me? I'll stick with some common terms everyone knows. If it turns out to be something very different then grand, we'll call it by that name then. But short and sweet, something has taken control of my computer when it is on the internet and it is not friendly [at least in my eyes].

Now as to your point about my file being corrupt-- potentially so, it's just I don't remember losing 128 GB all of the sudden after transferring that file to iPhoto.

I do know that I watched my hard drive space vanish before my eyes rapidly yesterday... What ever is going on at one it filled 4.5 gb that I had just freed in under 2 mins while I tried to search for an answer online.

Now as per your suggestion I did the terminal scan:

1 /.DocumentRevisions-V100
1 /.fseventsd
0 /.PKInstallSandboxManager
1 /.Spotlight-V100
0 /.Trashes
0 /.vol
14 /Applications
1 /bin
0 /cores
1 /dev
1 /home
7 /Library
1 /net
0 /Network
1 /opt
6 /private
1 /sbin
6 /System
431 /Users
1 /usr
1 /Volumes
463 /
463 total



Now I have little idea what it means. So please do share so I can head in a good direction.

I also like to add that I am on a different computer to post this right now so don't cause what little space I have freed to get filled up again.

 

[alphaod]

What you have is basically a script that write to your disk and fills it up. It's not necessarily a virus, could be just a prank a friend is pulling on you?

Anyway when this thing is running I think it would show up on Activity Monitor is very low memory usage, but high CPU time. Have you tried looking through that?

 

[simonsi]

iPhoto
Movie file growing
Happens when connected to the internet

Photostream/iCloud syncing etc is my bet, with a stuck/messed up file in the first place.

As posted above, look into Activity Monitor, but look in the Disk tab and see what is actively writing to the disk - you haven't done that, yet that would identify almost immediately what task is writing to the disk.

If you identify the process. Kill it. Simple-as.

Occams Razor

 

[gatorrock]

Okay a bit of an update..

So I did some capturing of what is happening.

This is before I get hit by the programs:
https://www.dropbox.com/s/39k79swpx0gbt0o/before.jpg?dl=0

This is during the hit - sadly Grab captured the screen as the "full" window popped up

https://www.dropbox.com/s/w4l25h53i7iidab/going%20on.jpg?dl=0

And here are the 2 programs that seem responsible for it-- they disappear just as quick as they appear

https://www.dropbox.com/s/k3qj6qttmovvdzq/programs.jpg?dl=0


Now please note yes I could just "kill the programs", but that doesn't solve my problem at all as it just keeps coming back and filling up the empty space in seconds. I've rebooted a few times and this keeps going on. So I need a more permanent solution.

They seem to be associated with chrome/gmail and happen with something with it. I can't get it to occur by anything I specifically do (ie refreshing, logging in, etc). It sometimes occurs with that, but not every time.

Hope this may clue in some folks.

 

[MCAsan]

So what happens when you restore from backup or do a clean install?

 

[gatorrock]

I haven't yet for multiple reasons-

main one is I'd like to solve this, not ignore it.

Also currently I need to make sure everything is backed up, but if it is a virus I'd really not like to infect my server.

 

[chabig]

You do not have a virus. Case closed on that.

Now what is that "Online Backup" thing? It's something you installed and is probably in your Applications folder. If it's acting up, perhaps you should delete it.

Also, have you rebooted the machine? That might be a good idea to end a misbehaving process.

 

[Weaselboy]

And here are the 2 programs that seem responsible for it-- they disappear just as quick as they appear

Go back to Activity Monitor and when those zip and online backup processes are running select them and do command-i to get more info then go to the Open File and Ports tab like in my screenshot and see what app has launched that process.

The fact it was run by launchd means it is likely a startup item of some sort.

Install and run the app Etrecheck then post the output up here. That will show us all login and startup items your system has setup.

 

[simonsi]

I think it is the zip process that is the issue, are you by any chance zipping a folder that includes the zip archive itself? That may, if the sw doesn't notice it, recursively add the archive to itself and hence grow rapidly until it runs out of space.

Anyhow, not a virus and best not to pre-accuse the entire internet of prejudice and start waving your arms around quoting malicious code etc etc before you properly look into a basic system performance issue.

If this is any kind of attack on your machine it compares with trick-or-treat levels of simple prank.

 

[chabig]

Take a look in /Volumes/ as well. All of your mounted disk volumes should be in there, and your boot drive should have an alias to itself. I saw it once a long time ago where the system got confused and instead of an alias it tried to copy the entire boot volume to that spot in the disk directory.

 

[gatorrock]

Thank you all for you very helpful thoughts and directions.

I'm sorry if I offended any one on the virus thing

Anyhow lots and lots of work has been going on since I last posted [both in my real job, hence why I haven't been on here in a while] and with what folks here and other places suggested.

Okay so here is a screen grab as requested:

The command-i
https://www.dropbox.com/s/y1mdrcw13qo1xuh/zip1.tiff?dl=0

Also found this same info via another good program called: fseventer
http://fernlightning.com/doku.php?id=software%3Afseventer%3Astart

Gives you a nice live breakdown of what is going on.

Anyhow this has shown that is related to my online back-up program.

I didn't think it was this originally as I've been running it for 3 months with out any issue and I haven't upgraded it or installed any new programs on this computer since Mid-July. So why should it suddenly go wrong?

So by going back to GrandPerspective I was able to get to these zip files easily - they are in the hidden library in my user account.

Here’s all those zip files
https://www.dropbox.com/s/g6k4s2f0oewr89m/hiddengmail.jpg?dl=0

What I found interesting is that this folder was first made back on 10-August and until 30-August (ie late Saturday night) the zip files being made were smallish (nothing over 150 megs) but then something happened Saturday night and they started getting made in the Gb range. Also added to this, until yesterday, they were made only 2 times a day. Now they are made every time I'm on the internet and fill up any and all space on the hard drive.


So I know what it is, I sorta know what is doing...but I can't figure out WHY it is doing it (as I've never asked for my email to be backed up as I only access it via the web, never anything like 'Mail' or 'Thunderbird') or more importantly how to stop it without deleting the program all together.

I've contacted SOS Online Backup and now waiting on a response.

----------

Oh yes, in case you want to know more here's the info from the Etrecheck app:

EtreCheck version: 1.9.15 (52)
Report generated 2 September 2014 21:40:25 BST

Hardware Information: ?
MacBook Pro (Retina, 13-inch, Late 2013) (Verified)
MacBook Pro - model: MacBookPro11,1
1 2.6 GHz Intel Core i5 CPU: 2 cores
16 GB RAM

Video Information: ?
Intel Iris - VRAM: (null)
Color LCD 2560 x 1600

System Software: ?
OS X 10.9.4 (13E28) - Uptime: 1 day 1:14:30

Disk Information: ?
APPLE SSD SM0512F disk0 : (500.28 GB)
S.M.A.R.T. Status: Verified
EFI (disk0s1) <not mounted>: 209.7 MB
Macintosh HD (disk0s2) / [Startup]: 499.42 GB (1.76 GB free) (Low!)
Recovery HD (disk0s3) <not mounted>: 650 MB

USB Information: ?
Apple Internal Memory Card Reader
Apple Inc. BRCM20702 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Inc. Apple Internal Keyboard / Trackpad

Thunderbolt Information: ?
Apple Inc. thunderbolt_bus

Configuration files: ?
/etc/hosts - Count: 63

Gatekeeper: ?
Anywhere

Kernel Extensions: ?
[not loaded] com.cisco.kext.acsock (1.1.0 - SDK 10.6) Support
[not loaded] com.focusrite.driver.usb2audio (1.9 - SDK 10.6) Support

Launch Daemons: ?
[loaded] com.adobe.SwitchBoard.plist Support
[running] com.cisco.anyconnect.vpnagentd.plist Support
[running] com.fernlightning.fseventer.plist Support
[loaded] com.microsoft.office.licensing.helper.plist Support
[running] com.sophos.autoupdate.plist Support
[running] com.sophos.intercheck.plist Support
[running] com.sophos.notification.plist Support

Launch Agents: ?
[not loaded] com.adobe.AAM.Updater-1.0.plist Support
[loaded] com.cisco.anyconnect.gui.plist Support

User Launch Agents: ?
[loaded] com.adobe.AAM.Updater-1.0.plist Support
[loaded] com.adobe.ARM.[...].plist Support
[loaded] com.google.keystone.agent.plist Support
[running] com.nero.HSMMonitor.plist Support
[failed] SOS.OnlineBackup.LaunchAgent.plist Support

User Login Items: ?
iTunesHelper
Google Chrome
CrashPlan menu bar
VMware Fusion Start Menu
Android File Transfer Agent

Internet Plug-ins: ?
AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 Support
QuickTime Plugin: Version: 7.7.3
AdobePDFViewerNPAPI: Version: 11.0.07 - SDK 10.6 Support
AdobePDFViewer: Version: 11.0.07 - SDK 10.6 Support
Default Browser: Version: 537 - SDK 10.9
SharePointBrowserPlugin: Version: 14.4.4 - SDK 10.6 Support
JavaAppletPlugin: Version: 14.9.0 - SDK 10.7 Check version

Audio Plug-ins: ?
BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9
AirPlay: Version: 2.0 - SDK 10.9
AppleAVBAudio: Version: 203.2 - SDK 10.9
iSightAudio: Version: 7.7.3 - SDK 10.9

iTunes Plug-ins: ?
Quartz Composer Visualizer: Version: 1.4 - SDK 10.9

3rd Party Preference Panes: ?
None

Time Machine: ?
Time Machine not configured!

Top Processes by CPU: ?
39% fseventer
4% Google Chrome
3% Finder
2% WindowServer
2% sysmond

Top Processes by Memory: ?
410 MB Adobe Photoshop CS6
311 MB Finder
295 MB WindowServer
295 MB iTunes
279 MB GrandPerspective

Virtual Memory Information: ?
2.11 GB Free RAM
6.28 GB Active RAM
6.06 GB Inactive RAM
1.54 GB Wired RAM
16.77 GB Page-ins
400 KB Page-outs

 

[Weaselboy]

User Launch Agents: ?
[loaded] com.adobe.AAM.Updater-1.0.plist Support
[loaded] com.adobe.ARM.[...].plist Support
[loaded] com.google.keystone.agent.plist Support
[running] com.nero.HSMMonitor.plist Support
[failed] SOS.OnlineBackup.LaunchAgent.plist Support

User Login Items: ?
iTunesHelper
Google Chrome
CrashPlan menu bar
VMware Fusion Start Menu
Android File Transfer Agent

Yikes

Seems pretty clear SOS backup is the problem here. I wonder if they did a background update to their app and it caused these issues since it sounds like you had this backup service for a while and did not have this issue. It looks like the way that backup app works is it makes temp ZIP files of your data then uploads them to the online service. Seems like the ZIP files are not deleting themselves after like they should.

To but the brakes on this until you get a real fix from SOS, look in the following folders for the file SOS.OnlineBackup.LaunchAgent.plist and drag it off to the Desktop then restart. That should stop the backup service from running and those two processes in Activity Monitor. Of course this will stop online backups.

/Library/LaunchDaemons
/System/Library/LaunchDaemons
/Library/LaunchAgents
/System/Library/LaunchAgents
/Users/[I]your-username[/I]/Library/LaunchAgents

I don't think it is causing a problem, but it looks like you used to have Crashplan and if you look in your login items in System Preferences in the Users & Groups pane you can remove the Crashplan menu item.

As an aside, where did you find out about this backup service? I read about every Mac web site known to man and I have never heard of it.

How much data is in your user folder to backup?

 

[simonsi]

I'm sorry if I offended any one on the virus thing

I don't think you will have offended anybody (except perhaps Crashplan ), but bear in mind it was perfectly possible to conclude what was wrong without continually loading further apps to "help".

Once you have an issue going on, best not to further complicate diagnosis by making further changes as far as you can. If you have anything odd going on, the Activity Monitor will almost certainly tell you what is actually going on (vs what some random app thinks is going on), and where to look for further information.

Once you are back and sorted I would delete those random apps and spend some time understanding what the Activity Monitor can tell you.

 

[gatorrock]

To but the brakes on this until you get a real fix from SOS, look in the following folders for the file SOS.OnlineBackup.LaunchAgent.plist and drag it off to the Desktop then restart. That should stop the backup service from running and those two processes in Activity Monitor. Of course this will stop online backups.

Yep, and I have deleted the program and bad files altogether

I don't think it is causing a problem, but it looks like you used to have Crashplan and if you look in your login items in System Preferences in the Users & Groups pane you can remove the Crashplan menu item.

Good catch. Crash plan was my trial company and I originally planned to go with them except for a few minor problems [family plan was weird in how they ran it and they didn't a have a good smart phone app]. So I "removed" they software, but obviously not quite everything.

As an aside, where did you find out about this backup service? I read about every Mac web site known to man and I have never heard of it.

How much data is in your user folder to backup?

As for your last two questions, let me do them in reverse. My user data to back-up is between 80-90 Gb, most of the bulk being pics and vids of my family as I live in the UK and our families are all in the US, we have to relay lots of fun stuff for them back home.

Of course if you wondering more about my back-up companies-- both hat I trialed/bought give unlimited storage of your computer/smartphone/external drives/ NAS servers. This is why I chose them. And to give you and I dea, they've actually backed-up over 1 TB of my data so far as I've backed up part of my NAS drives.

How I found out about them was multi-pronged search. I also work with PCs so I needed a system that could work on all formats. So obvious web searches, reviews from sites I trusted, magazines, and tech journalists. Both companies have glowing reviews and Crash Plan by people in the tech field who use Macs. I couldn't find anyone on Mac who used SOS complaining about it and since I was frustrated by Crash Plan's smart phone app and odd choice [I'll explain in a moment]- I went with SOS, due to their good smartphone app [I'm an android smart phone guy].

After this experience I may go back to Crash Plan depending on how this gets resolved [again explain on that in another post].

So Crash Plan's odd choice is that if you get the family plan, you can have up to 10 computers plus phones & ipads/tablets-- but they all have to use the same username and password because even though each computer/device is separate they ALL can be seen and accessed by EVERYONE. So you may love your family, but do you want them to full access to all your files? I'm still not sure about that. Their reasoning is that they don;t want business' to use the family plan so they decided to make it less secure in that aspect. They also believe that your family all has to live in the same house, unless a kid goes to college. Mind you you could still have the uncle, etc on the other side of the world, but they feel if they let everyone access everything that will usually keep it under the same roof. Hence why I didn't like that.


But if I go back I may just get individual plans like I've done with SOS, who didn't offer family plans that were worth the money (I've only got 3 computers to worry about right now).

 

[gatorrock]

Just a current update to the SOS Online Backup...

So I wrote them last night explaining what was going on, with pic links, etc. And within 10 mins they responded with a literal cut & paste reply from a user manual/wiki that basically said to delete everything including their program and reinstall.

I HATE that type of reply and responded with them needing to actually read my email and give a better response as there were other questions in there about my service. I've yet to hear back.

Half of what ticked me off was that the cut and paste was for a windows computer (with a single line like this to explain use 'command') -- but most of it was still not quite right for Mac, especially if you don't know a windows computer and you know don't know how to find your hidden library files.

So I'll wait and see how they respond to my latest email as they should have last night since they had another 5 hours until closing, but they didn't.

 

[maflynn]

So crash plan is causing the issue? Wow, that's not good. Keep the thread updated to the specifics of the issue.

The fix is simple, though not easy. Back up your data (not using crash plan ), format the drive and reinstall a clean copy of OS X and restore your data.

I'm sure there will be other solutions that won't require reformatting but it is the simplest insofar as just formatting the drive but it is also quite drastic.

 

[Weaselboy]

Just a current update to the SOS Online Backup...

Hmmm... that's frustrating. Is everything working okay for now with the SOS app removed at least?

I did not mean to criticize your choice of SOS and meant no offense. I was just curious about it because I never heard of the company.

So crash plan is causing the issue?

I think you misread. It is the SOS online backup app that was causing the issue. He just had a left over menu bar login item from Crashplan.

 

[gatorrock]

Weaselboy - never took offense! Just explaining how I looked at types that covered multiple types of computers. Sorry if it came off that way! Any yes I did way too much research (there are at least 30 companies out there I looked at) -- here's a good spot to start from if you want to learn about them:
http://pcsupport.about.com/od/maintenance/tp/online_backup_services.htm

Bonus they just updated it.

And yes, just deleted all the SOS software- so far they still haven't responded. I'll give them until Thursday afternoon then I'm contacting customer service to cancel their plan and see if I can get a refund. I'm sure I have a reasonable complaint...we'll see.