Mac Malware/poisoned images

And even if it were necessary to do a secure erase, which it isn't here, a one pass zero would be more than sufficient.

http://www.h-online.com/newsticker/news/item/Secure-deletion-a-single-overwrite- will-do-it-739699.html

My own feeling is it's time to stop responding to this character.

So while a simple erase does leave all of the previous data on the drive, as far as the OS is concerned, it doesn't exist since it doesn't know where any of the files start, or even what their names were.

Just one addendum, for those who will not fully understand the implications of this... The fact that the data is still there is irrelevant. You could have the nastiest, most virulent virus currently known to man on your hard drive, and after erasing and reinstalling the system, every bit of that virus' code might still reside on the hard drive. However, the OS is solely responsible for opening files and running executable files. If the OS does not know that data is there - as it would not - it cannot do anything with it! The malware cannot somehow run itself in that state. It is simply a collection of what might as well be random bits.

An analogy that would represent this situation reasonably well would be having a gun in your house. If the gun is loaded and on a shelf in the living room, and you've got kids running around, that's very dangerous. Like malware. Now, if you were to wait until the kids were at school and then take a machine and drill a hole ten feet deep in your back yard, drop the gun in and fill the hole back up, then put a plug of sod over the top, it is technically the same gun, it's still near your kids and could still fire if it were recovered soon. However, realistically, there's no conceivable way that anyone's actually going to be firing it again.

The malware cannot somehow run itself in that state.

But if some criminal somewhere has hired a voodoo priest to curse your system, it could rise from the dead like a zombie & take over the OS, send all your sensitive data to him, dig up the gun & kill your kids, load your hard drive with compromising data, report it to the police, & totally ruin your life!

Or at least this is equivalent of what the technically uninformed would have you believe. If you want to learn how to deal with malware effectively, the question to ask is not "what if?" but "how does it work?"

Okay, maybe a big difference between getting rid of ClamV and getting rid of what "some voodoo priest" cursed my machine with...(not once, but multiple times.

And, no, a zero out erase did nothing.

Do I know the function of the IO Reg log is? I think so. Am I skilled to degree that I'd be comfortable writing an article on the topic?

No. It's not my field of expertise.

Like I said. When I came to Apple to assist me with problems which were way out of my depth, they hosed me. And, the problems weren't nice and continued to worsen. This was during the first go-round.

Am I comfortable in my current knowledge of the IO Reg log to say that if I've never owned a Mac Book Pro that I believe numerous mentions of it in this registry are sort of like having a loaded gun in my two month very expensive 27" Imac with maybe 4 out of 6 chambers loaded, an automatic trigger and spinning barrel?

I dunno.

How about I show you all and see what you think? I'd really appreciate some intelligent diagnostic opinions from neutral outsiders as Senior Apple Care techs have quit communicating with me, because of this and the kernel log which makes reference to Penwyn, Nehalem, etc. -- Profiles relating to Mac Book profiles attempting to load into the computer.

And, it was Apple Senior Techs and their own money winning White Hat Hacker whom told me the only way to rid oneself of rootkit malware is a 32 pass erasure. There was just about NOTHING on the disk and it took almost a week. In addition, they are reluctant to admit this type of invasion is fairly easy to achieve w/Leopard/Snow Leopard and they'll deny it when it does occur.

Again, the background:

While setting up a brand new Airport Base Station on this brand new Imac which had just undergone that 32 pass erasure with a Sr. Tech on the phone, the "security" set up portion was interrupted (by voodoo) which said: "shared key with my Mac Book Pro" and gave the key #'s. Unable to connect wirelessly, was almost impossible to connect via ethernet.

Four days ago, ethernet interrupted for no good reason.

The same Sr. Tech worked for over an hour: no solution/no connection.

Sr. Airport Support #1: shut off Firewall, able to reset Airport, create new local net, pw, etc., worked wirelessly for the first time for 8 hrs.

Sr. Airport Support #2: 1/2 hour of reset Base Station, Modem, etc. Advised me to shut off wireless, plug cable into Base Station, connect to computer directly and use ethernet. Worked for 8 hrs.

Sr. Sr. Airport Support #3: Completely puzzled. Checked "About This Mac." Info under "Airport" revealed no Airport card present in computer. Tech sort of startled. Airport/Ethernet both "self-assigned" 169. whatever IP's could not connect. Safe boot, loaded disk. Location = Test/110. IP address but still no Airport card in computer. Tech still startled. Asked me if I ever checked? Yep. Card was there a few hours before...

I tried to connect after Tech hung up. Able to connect w/o problem w/no card, with Base Station slow flashing amber light, ethernet light on modem orange and Airport Icon upper right Imac off with !.

Click "Network" asked for my log in pw: gave pw. Received fast message stating: "Incorrect Name" however, connects to internet, no worries, or I wouldn't be here now....

Sent logs to Sr. Sr. Tech who was supposed to phone me yesterday 3p. I called him x2: no response. Not the first time...

If you Google the thing about "No Airport card in new Imac" you'll see I'm not the only one being ignored, etc.

So, not funny and all of this is accurate. Again, I'd appreciate any feedback/assistance, etc., as, like one of my patients who loves Shakespeare but never gets the lines quite right says: "Something stinks in Sweden."

Many thanks for anything at all....or, maybe everybody's Airports and Imacs work this and I'm wrong.

< Edited by Host >

You may want to edit your serial number and other private data out of that 🙂

Okay, maybe a big difference between getting rid of ClamV and getting rid of what "some voodoo priest" cursed my machine with...

ClamV? Are you talking about ClamXav? If so, are you aware that that is anti-virus software, not malware to be "gotten rid of"?

When I came to Apple to assist me with problems which were way out of my depth, they hosed me

Your story was very hard to follow, but from what I understand of it, there is no indication anywhere in what you describe that you had any kind of malware. If I had to guess, I'd say you could have a hardware problem, but that's just a guess. Despite the length of your post, there was very little hard information to go on.

IO Reg Log:

You really shouldn't have posted that here. Not only was it way too long to really be appropriate, but it also contains private information that should not be posted to a public forum. However, I can tell you that it looks normal to me. As I said before, it is normal to see references to other machine types in there.

And, it was Apple Senior Techs and their own money winning White Hat Hacker whom told me the only way to rid oneself of rootkit malware is a 32 pass erasure.

I'm sorry, but when you say things like that, it is impossible to take you seriously.

Do you really expect us to believe that Apple Senior Techs (plural) & "their own money winning White Hat Hacker" (whatever that capitalized phrase is supposed to mean) all got together & collectively suggested that you do a "32 pass erase" (which isn't even an option in Disk Utility)?

Stick to the facts & skip the hyperbole. If you want help, just describe the problem as carefully as you can.

And, it was Apple Senior Techs and their own money winning White Hat Hacker whom told me the only way to rid oneself of rootkit malware is a 32 pass erasure.

Just to add a bit more of a blunt observation of my own to R C-R's comment.

If there really was any supposed pro who told you that, they are a complete, dyed-in-the-wool idiot. The only reason for telling anyone that is to deliberately waste your time by making you do something completely unnecessary.

There is no software, anywhere, that can survive even a 1 pass erase. And as I mentioned above, you don't even need to do that.

Hello all,

i read this topic several times.

Hopefully i can find here someone who can help me.

One week ago, i accidently accepted a certificate with my browser and believe to have malware on my MacBook Pro Retina with 10.8.

Checked the internet connection with little snitch and noticed that my mac connects permanently to several ad websides.

After using several antivirus tools without success I decided to do a clear install of Mac OS 10.8.4 using the Apple internet recovery.

I believed having deleted all volumes on my mac and reinstalled OS X. Although i am using a brand new installed OS right now several things are very strange.

1. During the internet recovery install i saw a lot of error in the log i didnt had earlier:

localhost Unknown: Keyboard Layouts: duplicate keyboard layout identifier

localhost Unknown: Keyboard layer has been replaced with etc.

localhost: SMSystem_DMDiskBased Warning...

2. After booting OS X the first time i think i had OS X 10.8.2 on my system. I clicked on software update and updated to 10.8.3. I am almost sure that i had 10.8.4 before but i cannot update to the newest OS anymore. Why?

3. i looked right after the fresh install in the console.app and had hundreds of logs:

- synservices.log

-ubiquitiy.log

-LKDC-setup.log

-stackshot.log

-apache2.log

-appfirewall.log

-com.applel.launchd.peruser...logs (at least 30)

-krb5kdc, fsck_hfs, opendirectoryd.log

I wonder whether all those logs appear as well during a "normal" install.

Allthough this is my second fresh install i have incorrect write permissions that diskutility cant repair.

- System/Library/Frameworks/CoreGraphics.framework/Coregraphics

- Allthough i turned on my firewall through settings.app terminal sais: 65535 allow ip from any to any

- mdworker32 shows up in the logs all the time.

- mdnsresponder is doing something all the time

- Windowsserver is active permanently

- Security Agent logevents all the time

- ScreensharingLoginNotifications repeating

26 21:02:22 PeacePirates-MacBook-Pro.local configd[17]: network changed: DNS*

Jun 26 21:02:22 PeacePirates-MacBook-Pro.local awacsd[72]: Starting awacsd connectivity-78.2 (Dec 16 2012 19:43:29)

Jun 26 21:02:22 PeacePirates-MacBook-Pro.local awacsd[72]: InnerStore CopyAllZones: no info in Dynamic Store

Jun 26 21:02:22 PeacePirates-MacBook-Pro.local rpcsvchost[96]: sandbox_init: com.apple.msrpc.netlogon.sb succeeded

4. i turned the firewall in settings.app on. In terminal i see:

sudo /sbin/ipfw list

Password:

65535 allow ip from any to any

Firewall is obviously turned off...

Can someone give an explanation for that behaviour and tell me how the check whether someone has control over my macbook. Since i reinstalled os x two times from the scratch i have a strange feeling about all that.

Using debug modus in diskutility i see the firmware.scap file. Can someone tell me how to open that file to see its content?

What log file can i upload to support you with more infos?

By the way. My system.log is deleted automatically several times a day. is that normal?

PeacePirate wrote:

i read this topic several times.

Since it's almost two years old, I doubt that it did and wish you had started a new topic that would bring fresh eyes to this, but here you are.

One week ago, i accidently accepted a certificate with my browser and believe to have malware on my MacBook Pro Retina with 10.8.

If Flashback wasn't obsolete I would have suspected it, but at this time I know of no current malware that poses as a certificate.

Checked the internet connection with little snitch and noticed that my mac connects permanently to several ad websides.

Such as? Most often caused by the installation of a browser extension, but see this article for other possibilities: Eliminating browser redirects and advertisements.

2. After booting OS X the first time i think i had OS X 10.8.2 on my system. I clicked on software update and updated to 10.8.3. I am almost sure that i had 10.8.4 before but i cannot update to the newest OS anymore. Why?

I was under the impression that a reinstall using the internet installed the latest version which should have been 10.8.4. If when you choose "About this Mac" from the Apple menu it says you are using 10.8.3, then download and install the OS X Mountain Lion Update v10.8.4 (Combo).

Allthough this is my second fresh install i have incorrect write permissions that diskutility cant repair.

Quite normal. This hasn't been updated but will give you the idea: Disk Utility's Repair Disk Permissions messages that you can safely ignore.

4. i turned the firewall in settings.app on. In terminal i see:

sudo /sbin/ipfw list

Password:

65535 allow ip from any to any

Firewall is obviously turned off...

No it's not turned off, I get the same results. What "Firewall Options" do you have checked / entered?

BTW, if you on a trusted network behind a Router using a strong WPA2 password, you don't need to have your firewall turned on and it will slightly slow down your Internet access. If you take your MBP to a public hotspot such as Starbucks or the public library, then you need to have it turned on. See: Do I need a firewall?

What log file can i upload to support you with more infos?

EtreCheck.

My system.log is deleted automatically several times a day. is that normal?

No. It should be rolled over once a day, usually at midnight and not deleted for several days.