iMac infected with virus that creates hidden windows partition, won’t boot from USB or internet recovery

soundboy13 Said:

"iMac infected with virus that creates hidden windows partition, won’t boot from USB or internet recovery".

-------

Reinstall the macOS Anew. Putting the "virus" controversy aside, it should work like new once installed.

Perform the following in the order provided:

I.  If it applies: Back up your Mac with Time Machine - Apple Support. Also, write down or take a photo of all of your Applications - you will need to reinstall them all later, by contacting the Developer(s) of the app(s). Ask them for a new install key.

Then...

II. Reinstall the macOS Anew:

1. Boot: into Recovery Mode.
2. Open: Disk Utilities
3. Delete: the partition
4. Reinstall: the macOS

Once Installed Anew...

III. Reinstall All the Software:

1. Use Migration Assistant to move Apps a Files back in.
2. Ask developers for new software keys - but contact the developers only --- none other --- or you may end up with malware and spyware installed.

soundboy13 Said:

"But what I don’t understand is why is the data not shown as taking up space after you format the drive?"

-------

For Reverence:

I. APFS Formatting:

Go Here: Add, delete, or erase APFS volumes in Disk Utility on Mac

II. Opening Terminal in Recovery Mode:

1. Boot: into Recovery Mode
2. Click: Utilities Menu
3. Select: Terminal

soundboy13 Said:

"I tried that in recovery mode and I get command not found"

-------

Thank you for the Screenshot. What it infers is that you have nothing on your drive - it's time for a new drive. Your drive is dead.

---

Get this Serviced - Get a New Hard Drive:

Is this covered by AppleCare?

If so, take this up with Apple. Being that Coronavirus Pandemic is going around, Apple Stores are Closed. So, Send-In Service is all that there is at the moment. If not, then contact and AASP.

Verify if it is Covered

Enter your Serial Number Here: Check Your Service and Support Coverage - Apple Support

---

A. Using Send-In Service:

The only option, as of this post, would be to contact Apple, and have it sent it for service/replacement.

1. Apple: would send you a box
2. You: would package it and send it to Apple
3. Apple: would fix it or replace it, if applicable
4. You: would receive it back from Apple

---

B. Contacting Apple Support:

A. Phone Support Info:

• Contact Us - Choose Locations
• USA: 1(800)MY-APPLE
• Proceed from there as Necessary
• NOTE: Calls are taking a moment, so, just stay on the line. Someone will be with you.

C. Chat Session Info:

Being that phone calls are taking a moment, perform a chat session with Apple Support.

Setting Up the Chat Session:

1. Go to: support.apple.com
2. Scroll Down to "Tell us how we can help"
3. Select: Get Support
4. Proceed from there as Necessary

or...

D. Contact an AASP: 

1. Go Here: Find Locations - Apple Authorized Reseller
2. Click: Service & Support
3. Enter: your location information
4. See: if there is an AASP nearby
5. Contact: an AASP (Apple Authorized Service Provider) that shows up, and find out more about the services that they offer to fix the iPhone

There's no virus. Catalina formats your disk using APFS. APFS creates one visible volume and four invisible volumes. As an example, if you name your disk "Macintosh HD," then that is the only visible volume you will see mounted on your Desktop. There are four invisible volumes named: Macintosh HD - Data, Preboot, Recovery, and VM. Of these four, only the Data volume will be shown by Disk Utility. The whole array, however, will be displayed if you use diskutil in the Terminal.

These five volumes are all grouped under what APFS calls a "container." Containers are similar to partitions but unlike partitions, containers can share the available space on the storage device. They have many more features you can read about.

When should you use APFS Containers, Volumes, and Folders?

Partition Drives & Create APFS ‘Containers’ for Space Sharing with Disk Utility

Tech 101- Explaining the New Apple File System (APFS)

Copy, move and clone files in APFS, a primer

Add, delete or erase APFS volumes in Disk Utility on Mac - Apple Disk Utility User Guide

You can't even begin to believe how far off into left field you are. I'm not even sure where to start, there's so much wrong with your statements.

Let's start with the massively illogical argument that you think you have a Windows virus.

1. You don't have Windows installed.
2. A Windows virus can only run in Windows.
3. So, um, exactly how is a Windows virus running on a computer that doesn't even have Windows on it?

Check our what I see from disk utility in the fake Catalina base system install when I try to boot from internet recovery.

That's the Recovery partition the Mac boots to when you choose to startup in Recovery Mode (Command+R). It shouldn't even be visible. That you managed to make it visible is a good sign you destroyed it. Good job.

Your next couple of posts and screen shots only repeat that you think a hidden disk image that's supposed to be there is a problem. It's not. Except you now made it one by wrecking it.

Here is some more photo evidence of a program that I didn’t install that can now access my computer.

Every single Mac has that function. It's proof of nothing.

5 minutes from booting the computer I have 115,000 console messages.

Whoop-dee-doo. Every computer running Unix will pile up that many messages, or more, in that amount of time.

What others suggested in loading Etrecheck is a good idea. It will reveal hidden launch daemons that might have installed as trojan horses. Quite different from viruses, these are software that promote their value to the unsuspecting user and encourage you to install them. Where a virus will come onto your computer without even provocation.

Examples of trojan horses are software made by Macpaw and Zeobit that are purported optimizers.

Website extensions that force Chrome to load a different start website like weknow.ac.

There phishing websites that look like the real thing unless you reveal the full link to the website. Those are known as adware, and can be very dangerous if you use your machine for personal information.

And while you could technically run a script that could cause some significant damage, it won't do so without root account access, which requires you divulge the administrative password to a software that does not need it.

Let's start by identifying the launch daemons:

https://discussions.apple.com/docs/DOC-250002463

And once we do, we will restart in safe mode (using the shift key), to remove the said programs using EasyFind, also documented in the tip. But first we need to ensure you only delete that which does not belong.

soundboy13 Said:

"iMac infected with virus that creates hidden windows partition, won’t boot from USB or internet recovery: [...]I can see a 40GB windows partition, and this is immediately after formatting the computer and booting into OS Catalina for the first time.[...]"

-------

To Emphasize on my Previous Reply:

After you delete the partition, be sure to format the Hard Drive - If using Catalina - use APFS as the File System (AKA: The Format Type).

soundboy13 Said:

"when it boots from internet recovery, shouldn’t it go directly into the recovery mode. If you watch the video you will see where it shows an apple symbol and loads the recovery mode after that."

-------

You are welcome.

Thank You for the Video!

It is Doing it as intended - what it is in fact doing is downloading and then encapsulating all the install files, readying itself for installation. Internet Recovery Mode is its own method - it does not go into Recovery Mode, after going through the download. View: "If you can't start up from macOS Recovery"at this link: About macOS Recovery

Erase the Drive:

Are you concerned with losing data? If not, just erase the drive, setting APFS format. Once formatted, see if all 500GB is shown (it might be a few GB less, because the drive has its own files on it).

As for the other 50GB:

Is the other 50GB shown after performing an erase? It would read maybe 498GB.

Except I’m not running windows and I didn’t install windows on the computer, I installed Catalina.

I didn’t install windows on the computer, the virus did.

Do you have any idea - at all - how ridiculous that is? You're describing a thoroughly impossible loop.

1. You don't have Windows installed.
2. You somehow have a Windows virus anyway.
3. The virus, which requires Windows to run, installed Windows. Something you couldn't have possibly missed happening.
4. Except, it's impossible for the virus to install Windows since it requires the presence of Windows to run - at all.
5. Go back to step 1 and keep repeating this very literally impossible sequence.

the fake disk utility and fake terminal

Wow. Just wow. Where did these "fake" utilities come from? Saturn? There's no penetrating this much utter nonsense and paranoia.

I sure won't be wasting any more time on this topic. I may continue reading it for the fantasy entertainment value, but nothing else.

soundboy13 Said:

"I appreciate everyone’s help and feedback but I just wanted to focus on reinstalling the OS from USB so I could fix the issues and I didn’t even really go into all of the strange behaviours I keep having every time I format the c1. omputer."

-------

Find Out the following in Terminal:

1. Use: this Command in Terminal:

 system_profiler

2. Scroll Down to: Storage:

To easily find this, use Find

• [ Hold Down: Command + Tap: F ]
• Type: System Software Overview:
• Press: return until it id

3. View: Storage: (The Next Item Down)

• How Many Hard Drives Do You See?
• What Are the File System?
• What is the Capacity?
• How much is Free?

The Output: (Don't Provide It in a Reply)

It Would Look Something Like This:

Macintosh HD - Data:

      Free:

      Capacity:

      Mount Point:

      File System:

      Writable:

      Ignore Ownership:

      BSD Name:

      Volume UUID:

      Physical Drive:

          Device Name:

          Media Name:

          Medium Type:

          Protocol:

          Internal:

          Partition Map Type:

          S.M.A.R.T. Status:

    Macintosh HD:

      Free:

      Capacity:

      Mount Point:

      File System:

      Writable:

      Ignore Ownership:

      BSD Name:

      Volume UUID:

      Physical Drive:

          Device Name:

          Media Name:

          Medium Type:

          Protocol:

          Internal:

          Partition Map Type:

          S.M.A.R.T. Status: