My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

I think "Samuri" started this post and everyone thought he was "Crazy"... but the fact of the matter is there are certinaly all types of malware for Macs. Most don't encounter these as they are most often target / limited attacks.

I will give a quick example and if anyone can explain this to me or has had a similiar experience I would love to hear back!! .....

So I have about 6 macs for my current and past business. Plus I always love grabbing the newest technology. That said this "Problem" occurs with every Mac I own. Even to a brand new MBP Retina that no one has had access to. I keep Firmware PW's on, I only use Eithernet connections, I have a $600 Hardware Firewall configured to let nothing in (No VPN's, etc)... obviously have sharing off, **** I don't even use Bluetooth.

Anyway when I wipe the drive I do it like this...

1.) Take out both the MAC HD and Recovery Partion....

2.) I have 50 MBPS Download Speed so Internet Recovery is very quick. I go through the normal process.

3.) Once I have reached the new recovery partition from the Internet Recovery I partion the SSD a couple times in different formats and then go back to the normal Journaled that I will be using for my single partioned SSD

4.) Then I install and go through all the normal steps, expect I skip everything that I can. I don't add location services, I set time manually and I don't sign into iCloud as this will be my Admin Account. I normally just call the account Main or Admin.

5.) I check for updates and install any that might have not been included in the most recent Internet Recovery.

6). In the Admin Account I set a tough PW and then begin with all the security options. Again all sharing off, Firewall on, Wifi Off and requires Admin Access to Turn on, No Peer-to-Peer Networking without Admin Access, Bluetooth Off, Java and Extensions turned off in Safari, etc. You name it I have done it as far as the GUI goes. I am certainly no expert in Terminal, but can make my way around for some things.

7.) I create a Standard Account "The one in which I will conduct 99% of my business in." Again I create a strong PW for this account and confirm that the security settings that I setup in Admin match those of my Standard Account.

HERE IS WHERE THINGS GO WRONG...

8.) I go into options and login to icloud.

HERE IS WHERE IT IS ABSOULETLY WRONG...

911) I login to the apple store as I want to dowlonad some of the simple apps so I can go to work. IMMEDIATELY, it starts downloading a program called "Mountain" ... please don't confuse this with Mountain Lion (You can see it listed second in the APP Store search "Mountain")... when I look down at my Launchpad bar without hitting anything the 2.1MB file is downoading and then dissapears from my launchpad.

** Also as this is going on "storeagent" with the linux exec box icon next to it shows up saying "storeagent is attempting to install software to your computer" It does ask the for Admin User and PW, but no matter what I hit this "Mountain APP" downloads.

When I first noticed this I thought this was legit, well it certainly is not. I have never purchaed that "APP" however it does show up in my APP store Purchaes. The gateway is obviously not doing it's job and FURTHERMORE I don't have any of the options to "Automatically Download New Apps, etc." I simply just check for updates manually everyday as it is a 2 second process and Mounain Lion doesnt check automatically until every 7 days.

Sorry for the long post... Anyway experiencing the same thing? I can redo my drive over and over again... I have ever purchased a new Mac Book Air a year ago to see if it would happen and the problems eventually started and fairly quickly. The weird thing also is that I have done wipes and renistalls in all sorts of different locations.

So all this said... how could it not be in the EFI or on the machine some how?

Thanks guys... I hope someone has experienced a similiar experince!!! .... as the Mac Store and Apple Care have been of no help!! ... and with a problem like this I think it is way above a level 2 Mac specialist head 😉

Check your System Preferences

Note the last option.

He mentioned he did not have those options checked..

java-attack: has your ISP ever noted your comps "attacking" their networks and suspend your service? Mine did. Sounds similar but I have stopped pulling my hair out over specific sketchy behaviour as I rely on my computers much less now (a shame given I'm starting a software company hahah). Apple seems to be sneakily discouraging on the issue IMHO.

He mentioned he did not have those options checked..

On a new install these default checked. java-attack didn't say he unchecked them before signing into the App Store. At any rate, somehow Mountain was purchased on the Store using java-attack's appleID.

Hey Willyr...

YES! Although that was almost 2-3 years ago. I use Comcast / Xfinity and before I had Business Class the data limit was 250 GB. My average per month before they contacted me was around 20-40 GB, some months only 10.

Then one month they claimed they called me to warm me that I had gone "WAY OVER." my alloted amount. I was not doing anything different that month and I didn't download movies, etc. It was definately a hack and this is when I started to become aware of the problem.

In my area Comcast / Xfinity provides the higest speeds up to 100 MPS Down / 10 UP and the DSL services are just OK... maybe 10 down, 2 up or something along those lines.

I do use my computer a lot and at this point I have really changed from being a Mac lover to a hater! They have great customer support for people that don't know how to sync iTunes or work iPhoto, etc... they don't have any idea on how to fix all this equipment I have purchased.

Sometimes they will send it up to an Apple engineer however you have to replicate the problem in the store and then it is still a shot in the dark. I have begged apple to take one of my computers to take a look and even with all the $ I have spent with them and their Apple Care, they can't do ANYTHING!!

Very upsetting!

Again if anyone has any recommendations I would really appreciate it.

And yes as stated I do have all automated app downloads and software updates off. And again I do check for new Software updates on a daily basis manually, hoping one day Apple will fix this. I hightly doubt they read this form.

Thanks guys!

Hey Xnav...

Just realized I did not answer your question. I did have all those unchecked before I loaded and signed into the APP Store. I have considered this option many times.

I did find where this "Mountain APP" was purchased from and it says from my Credit Card that I use to purchase other apps. It says I purchased this on March 03 2013.

*** Another thing that I forgot to tell you guys is if I do let this go for a couple days the "Creation Date" on the MAC HD Drive goes back to March 20 2013. Obviously the creation date is when you last installed OSX. It is still at this date now for the particular machine I am talking about, but I would bet everything that soon enough this Malware will run its course and change that date back. The only reason I can think of is to try and used an expired root certificate of some sorts... but who knows.

Again any thoughts would be much appreciated.

Thanks.

java-attack wrote:

Again any thoughts would be much appreciated.

Any thoughts? Oh well, here goes....

You have described a process where you have some sort of "$600 hardware firewall", firmware passwords, and you are repartitioning your hard drives multiple times and reinstalling the OS. The problem reoccurs on every new machine your purchase. The mode of delivery is the Mac App Store and does not need your admin password to install itself.

The most logical explanation is that you are simply making it all up for entertainment.

I wish that was true, it is funny to me that people believe this stuff is not possible. I didn't notice it for a long time and then when the Java scare came out I started taking a look at system files just to make sure I didn't have anything strange looking.

When you go to the terminal and type in the command to show hidden files and then you find something that looks suspicious in the startupagents folder (Not the GUI start up items per user in which you can hit the "-" to remove) and find that it is a hidden alias to another folder burried deep in the system files that were all have realted... that makes you wonder.

What really makes you wonder is when you go to rename those files with the extension ".old" and it asks for the Admin User Name and PW to do so... someone starts typing on your keyboard like crazy so it was impossible for me to enter my PW. Obviously I shut down and uplugged the Ethernet cable, but it is crazy. There was no screen or file sharing access allowed and I didn't have any screen sharing software that I was using or had ever used in the past on that machine.

Believe me if you went through all the stuff that I have gone through and you ran the type of business I do that requires Security, you would be going crazy!

I have only posted in this forum 3 or 4 times and the reason I am doing so is to find someone out there that could possibly help or relate, I can assure you the last thing this experience has been is "Entertaining."

People can hack twitter, FB the Govt... but not a few Macs? Really?

java-attack wrote:

When you go to the terminal and type in the command to show hidden files and then you find something that looks suspicious in the startupagents folder (Not the GUI start up items per user in which you can hit the "-" to remove) and find that it is a hidden alias to another folder burried deep in the system files that were all have realted... that makes you wonder.

Those files are hidden for a reason. If you don't understand how it is designed, stay out of there.

What really makes you wonder is when you go to rename those files with the extension ".old" and it asks for the Admin User Name and PW to do so... someone starts typing on your keyboard like crazy so it was impossible for me to enter my PW. Obviously I shut down and uplugged the Ethernet cable, but it is crazy. There was no screen or file sharing access allowed and I didn't have any screen sharing software that I was using or had ever used in the past on that machine.

To repeat. Stay out of there and don't rename system files.

I have only posted in this forum 3 or 4 times and the reason I am doing so is to find someone out there that could possibly help or relate, I can assure you the last thing this experience has been is "Entertaining."

I didn't mean to imply that such an experience would be entertaining. I was saying that posting an elaborate and quite impossible story on an internet forum is something that some people find entertaining.

Given the information you originally provided, "entertainment" was the most likely explanation. With this new information, the most likely explaination is someone overly paranoid who tried some terminal commands they didn't understand and started hacking around on system files. In this situation, all bets are off. You were certainly not hacked. Why would anyone want to take control of your Mac in that state? Just reinstall the operating system and stop poking around in system folders and deleting files.

I don't think you get it...that was one time And deleting an alias that points to 3 very suspicious files still should not have someone start typing on my machine.

Again that was ONE TIME... since then I have completely wiped that computer and other Macs set all the security settings as mentioned in my first post, never touched the terminal or anything outside of the GUI and it is still happening. This has not been going on for a month it has been going on for over a year.

I have two IT guys that have watched this, one who is listed on the Apple Certificed Consultant page and the other one who is a CIsco Certified IT Pro... they are completely baffled up to this point.

Believe me this is not because I wrote a couple terminal commands and deleted renamed a file on a completely seperate computer 4 months ago!!

They find this scenario so interesting they are barely charging me as they want to get to the bottom of this as well.

I will shoot out a post if there are any findings, really just hoping that someone out there has experienced something similiar and will shoot out a post. I guess I will keep you guys posted, if and when this does get resolved.

Thanks.

java-attack wrote:

I don't think you get it...that was one time And deleting an alias that points to 3 very suspicious files still should not have someone start typing on my machine.

And you want us to solve the problem with you dribbling out tiny tidbits of information? Maybe you could start by explaining, in plain English, not whta you think is going on, but what you are seeing. Don't even bother saying the words virus, malware, hack, trojan, etc. That implies you already know the cause and will therefore withhold any and all information that does not support your hypothesis.

You see an alias? What alias? Where is it? What is its name? It points to 3 very suspicious files? What are they? Where are they? What are their names? This is basic, step 1 level information. Until you start doing that, no one is going to give you the time of day, unless they are charging you by the hour, of course. And I don't just mean the paths to those 4 files. I mean everything on your system that isn't as you expect and any behaviour that isn't as you expect. If you make any change, any change at all, based on what you see somewhere on the internet, all bets are off. You will be ignored until you reformat your hard drive and reinstall the OS.

Finally, and most importantly, you MUST start you own thread to describe the PROBLEMS you are SEEING, not the cause you suspect. Until that happens, you are just piggy-backing on a threat that has already been flagged by everyone as paranoia-central. This thread is DEAD, DEAD, DEAD!

I thought I was very specific in my first explanation about when I completly wipe my Mac setup an Admin Account, put every security measure in place and don't put an info about my iCloud account, don't login to iTunes nor the APP Store in the Admin account and then create a Standard Account.

After verifying that automatic downloads and updates are turned off and making sure that all manual updates have been checked and are up to date, then in my Standard Account I login to my APP Store. The second I do that my lanchpad begins to download an APP called "Mounain", if you search for it in the APP Store it is the second one next to Mountain Lion. Mountain is an APP that is used for peer-to-peer networking.

This APP downloads without me clicking on it, giving it Admin permission and the box for Permission that pops up is one that looks different than the typical Mac Box that would ask for permission of chaning settings or installing software in a Standard Account. This box says "storeagent is attempting to download software to your computer" and next to this storeagent is a grey box with the green letter "exec" It doesn't matter if choose cancel, OK or simply ignore it the Mountain APP still downloads.

I have been able to stop the instalation at times and it sits on the launch pad. However when the instalation is completed, which is extremely fast as the file is 2.1 MB it disappears from the LaunchPad.

Now I don't care if you want to use the word Malware, Trjoan, Virus, or whatever... but everyone from Apple Tier 2 Phone Support, to Apple Genius's and very experienced IT guys have no idea how this continues to come back.

I certainly am not trying to argue with you, but I am not a Mac Novice by any means and I have completly wiped systems more than 25 or so times. I never reinstall anything for Time Machine, etc... I am just trying to get past this initial problems, which has led to further problems. The worst being people being able to move the mouse, type, etc.

Now that I think of it though, in a way it is "Entertaining" ... because I have IT guys that come over and keep trying to figure out the problem and since I am a tech junkie, I am excited to find out what is causing this. I have heard too many people say, well that is impossible and then when they see it with their own eyes, they are like "***!!"

Anyway thanks for listening.

Xnav - Sorry I missed your question!

The answer is Yes I have tried it on other networks. In fact I just did an Internet Recovery in a remote location of Wisconsin at a Summer Home we own there. Same outcome... and that wasn't fun because the Internet Recovery part took hours and hours, compared to 15 minutes at my Urban home 😉

...Anyway same result with the APP that downloads by itself with no permission.

Thanks!

Mountain is not a PtoP app, it simply allows one to mount/unmount volumes. It disappears from Launchpad because it is a Menu Bar only app. You should see it's icon somewhere in the right hand grouping of the main menu bar.

Thanks Xnav...

I have my IT guy coming over tonight and he should be here for about 3 hours or so. I have more screenshots and screencasts to show him how this has happened again, even though he caught the majotiy of it last time. I have looked at that APP, the crazy thing is that I never purchased it and I have never seen it in the upper right hand corner with other items I have had installed previously.

Thanks again