Virus hid my Mac Volumn

[svalenti]

At work I have a Mac with two internal drives that I raided together. A pc virus got on the pc servers and spread. My raid is also affected. I deleted the visible files and invisible pc files but now it hides my volume so it isn't on the Desktop. I can see it in Disk Utility but it says it is mounted.

How do I get the invisible attributes off so I can see it again and clean it?

Thanks for any immediate attention!!!

[svalenti]

I was able to get the volume back by running command in terminal...
chflags nohidden "/Volumes/volumnName"


Now all the files are still hidden. How do I show them?

[benwiggy]

First of all, what model of Mac and what OS X version? What files format is the RAID drive, and is it shared to other computers, e.g. PCs, and if so, how?

It seems unlikely that a PC virus would also be able to infect a Mac and cause damage to it.

What exact steps did you follow to delete the visible and invisible files?

When you say the volume doesn't appear on the Desktop, do you just mean the icon on the Desktop background? Or that the drive is completely invisible in the Finder?

Your best option is to restore the contents of the drive from a backup before the infection. You still don't know whether your files have been compromised and what has been added to the drive.

[svalenti]

Model of Mac is 2 x 3Ghz Quad-Core Intel Xeon running 10.6.8.
RAID drive was formatted as Mac OS Extended (Journaled).
It was shared by both Macs and PCs simply thru FileSharing.
When virus first appeared on network pc servers I also found the files on this RAID drive. I deleted visible and invisible window files by using find file visibility + invisible files.
The icon on desktop first changed its name and dimmed out on desktop then after a restart just doesn't show on desktop anymore... just see normal Macintosh HD volume. The drive was completely invisible to the Finder until I ran the line above and now I have RAID volume seen on Desktop but all files are invisible. If I do a find for invisible files I can see them on the drive...

Don't know how to make the files visible since it doesn't show any dot in front of file or folder to indicate it is invisible.

[hayne]

Quote: Originally Posted by benwiggy Your best option is to restore the contents of the drive from a backup before the infection. You still don't know whether your files have been compromised and what has been added to the drive.

Quoted for emphasis.
I.e. I agree that you should abandon trying to patch things up. You have (apparently) lost control of your system. You don't know what (other things) the malware has done. So you need to start from scratch, erasing the disks, reinstalling OS X from original media, restoring data files from backup.

[svalenti]

Quote: Originally Posted by hayne Quoted for emphasis. I.e. I agree that you should abandon trying to patch things up. You have (apparently) lost control of your system. You don't know what (other things) the malware has done. So you need to start from scratch, erasing the disks, reinstalling OS X from original media, restoring data files from backup.

The System doesn't seem to be any problem. Why reinstall the system that is on another volume?

[jsalmi]

Best of luck with your recovery.

[svalenti]

Who can tell me how a Window Virus can infect a Mac volume??

[hayne]

Quote: Originally Posted by svalenti The System doesn't seem to be any problem. Why reinstall the system that is on another volume?

No need - if you are sure that the system wasn't affected.

[hayne]

Quote: Originally Posted by svalenti Who can tell me how a Window Virus can infect a Mac volume??

First of all, how do you know that the virus was exclusively a Windows virus? Some malware does affect OS X. (Side note: are you sure it was technically a virus? See: http://en.wikipedia.org/wiki/Computer_virus)

You apparently were file sharing the Mac disk volumes to Windows machines. That probably implies that you were using SMB to make the volumes accessible to Windows. You may also have been using some 3rd-party Windows software that allows Windows to read the HFS+ file system. (Windows cannot natively read files on a drive formatted with HFS+ (the native file format on OS X).)

Hence a program (e.g. the malware) running on one of the Windows machines could access and modify the files on your Mac drives.

[anthlover]

Just a tangible partial possibility but did you check your Finder Preferences, General ...
And you have Show on the Desktop ALL of the following Checked:
Hard Disk
External Disk
CD, DVD, Ipods
Connected Servers

Lastly have you tried viewing the directories from any other system? There may indeed be something wrong with the File System of Drive/array.

[svalenti]

Quote: Originally Posted by anthlover did you check your Finder Preferences, General ... And you have Show on the Desktop ALL of the following Checked:

Finder preference had nothing to do with it.

Quote: Originally Posted by anthlover Lastly have you tried viewing the directories from any other system?

That's how people noticed folders were being hidden.

Quote: Originally Posted by anthlover There may indeed be something wrong with the File System of Drive/array.

There was! We had a network virus/malware. It hid our folders and added files like sexy.exe, porn.exe, password.exe. I had smb turned on for the RAID so Window clients could connect and read/write access.

I rebuilt the RAID set and restored data from backup.

[anthlover]

So would it work to have Read only access for the windows clients?