MACBOOK PRO. Late 2011. LION 10.7.3 - 2.2GHz w/4GB 1333 MHz DDR3. Wifi for Internet at home and BlueTooth for the mouse. No iChat, iTunes, iCalendar etc.
I have recently experienced what appears to be a complete collapse of the security protocol and my system now seems to be run by foreign programs. I will quickly describe what I have discovered and what I think could be the cause. I will then post some of the files I found as well as some logs. Please let me know your thoughts, what other information you need and what I can do to remedy the situation. I don't want to debate the existance of threats. I am willing to accept reasonable explanations but please look at everything I am asking for help with. Thank you in advance for thoughtful replies.
On or about March 22 I updated Quicktime/Safari to be able to view and play rich media. I installed the Perian, Flip4Mac and DIVX plugins. I had run into problems with homepage hijackers previouslyI did not notice anything suspicious until this weekend. The system slowed to a halt after visiting sites like YouTube, DailyMotion etc. The system started generating comprehensive debugging reports and failed to shut down properly. The boot logs changed as well. Some went missing (no data reported) and the protocols for others changed dramatically. New applications began to show up in the Activity Monitor and new components began to appear with unknown origins or authors.
Current State - Login
It appears as though the security protocol has changed. PAM framework exposes a generic set of API/functions to the applications. Applications simply call the functions de- fined in the module passing in the credentials of the user. Secure logs, crash reports and DEBUGGING logs all indicate that there is a breakdown in the system allowing something to get set up as a guest user without a urlAttribute or homeDirPath or the proper syntax and is reestablishing itself on start using exception handling protocols and cached data. It is refusing to let go when shutting down and starts up again before any other systems are in place from its persistant state cache.
Current State - Files, Logs and Caches
The private/tmp folder have seen new locked files and folders appear at the same time. All of which point back to Safari/Fireworks Plugin Process as its origin. File contents posted below
eka_named_mutex_KLAVA (zero bytes on disk)
launchd-142.RTSwZ4 (locked folder)
!! ?PR_REMOTE_MANAGER_PROP ?cpnPRAGUE_REMOTE_API ?cpTASK_MANAGER_TASK_ID ?
|cpTASK_MANAGER_TASK_IS_REMOTE ?npISWIFT_MODE ?npISWIFT_VOLUME_ID||?npISWIFT_FILE_ID|
?npAVS_CHAINED_OBJECT ?KTT ?npSCAN_OBJECT_CONTEXT ?
npENGINE_OBJECT_PARAM_ACTION_CLASS_MASK_tDWORD ?npENGINE_VIRTUAL_OBJECT_NAME ?npENGINE_OBJECT_DETECT_STATE ?npENGINE_OBJECT_READONLY_tERROR ?
npENGINE_OBJECT_READONLY_hOBJECT ?npENGINE_OBJECT_SESSION_hOBJECT ?
npENGINE_OBJECT_SKIP_THIS_ONE_tBOOL ?npENGINE_OBJECT_EXECUTABLE_PARENT_IO_hOBJECT ?npENGINE_OBJECT_SET_WRITE_ACCESS_tERROR ?propid_reopen_user_data ?
npENGINE_INTEGRAL_PARENT_IO ?propid_istreams_ctx ?npSCAN_OBJECT_BCKFLAG ?
avp1_has_special_cure ?cpTEMPFILE_MEMMANAGER ?npOBJECT_STARTUP ?DEFER_THREAD_INIT
wnstat.xml file contents =
....all the way through to...
PRObjects = 8Lä± PRRoot 8TD± TaskManager
New Processes have appeared in the Activity Monitor that all link together to manage what happens and what gets reported. They include
This one is the most troubling. I understand that Quicktime can read and or write code from an embedded XML file. I have noticed all sorts of new Components listed in System Information that relate directly to the collection, distribution and execution of code via the browser plugin process. It wouldn't take much to inject code into a cache that can be later executed by processes that have hijacked the login protocol. With two way conversation back and forth it could easily be tweaked based on DEBUGGING reports sent home until it has been proven effective.
I think my machine has been compromised before. I reported some incidents last fall however I didn't know enough about OSX to gage the threat. My experience before and after visiting certain media sites is the same except this time they seem to be far more effective.
Please let me know what you think the best remedy might be. I want to eliminate all of the errors, get the system running as it should and ultimately put up some kind of barrier that isn't so easy to foil. I just received another error
"12-04-08 2:33:13.267 AM helpd: CFPropertyListCreateFromXMLData(): Old-style plist parser: missing semicolon in dictionary.
I am suspicious because I have seen my system compromised by code embedded in Browser Plug In processes before. I am suspicious because what I have seen happen to my system over the last few days is consistent with how one might attack a OSX machine. Too many odd changes inconsistent with how others have described their experience. Let me know what else you need to help define things further. I can provide a lot more data about the contents of files recently modified, logs, debug reports etc. I am not sure where to start, what is important and what can be dismissed. I appreciate your help.