Developer Forums relocated!

Need help with Apple Developer tools and technologies? Want to share information with other developers and Apple engineers? Visit Developer Forums at Apple.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..It all stems from the "about donwloads" PDF which kicks off the restructuring of the OS..

MacBook Pro, OS X Mountain Lion (10.8.3)

Posted on May 6, 2013 11:32 PM

Reply
77 replies

Sep 3, 2013 4:49 PM in response to xnav

Hey Willyr...


YES! Although that was almost 2-3 years ago. I use Comcast / Xfinity and before I had Business Class the data limit was 250 GB. My average per month before they contacted me was around 20-40 GB, some months only 10.


Then one month they claimed they called me to warm me that I had gone "WAY OVER." my alloted amount. I was not doing anything different that month and I didn't download movies, etc. It was definately a hack and this is when I started to become aware of the problem.


In my area Comcast / Xfinity provides the higest speeds up to 100 MPS Down / 10 UP and the DSL services are just OK... maybe 10 down, 2 up or something along those lines.


I do use my computer a lot and at this point I have really changed from being a Mac lover to a hater! They have great customer support for people that don't know how to sync iTunes or work iPhoto, etc... they don't have any idea on how to fix all this equipment I have purchased.


Sometimes they will send it up to an Apple engineer however you have to replicate the problem in the store and then it is still a shot in the dark. I have begged apple to take one of my computers to take a look and even with all the $ I have spent with them and their Apple Care, they can't do ANYTHING!!


Very upsetting!


Again if anyone has any recommendations I would really appreciate it.


And yes as stated I do have all automated app downloads and software updates off. And again I do check for new Software updates on a daily basis manually, hoping one day Apple will fix this. I hightly doubt they read this form.


Thanks guys!

Sep 3, 2013 6:03 PM in response to java-attack

Hey Xnav...


Just realized I did not answer your question. I did have all those unchecked before I loaded and signed into the APP Store. I have considered this option many times.


I did find where this "Mountain APP" was purchased from and it says from my Credit Card that I use to purchase other apps. It says I purchased this on March 03 2013.


*** Another thing that I forgot to tell you guys is if I do let this go for a couple days the "Creation Date" on the MAC HD Drive goes back to March 20 2013. Obviously the creation date is when you last installed OSX. It is still at this date now for the particular machine I am talking about, but I would bet everything that soon enough this Malware will run its course and change that date back. The only reason I can think of is to try and used an expired root certificate of some sorts... but who knows.


Again any thoughts would be much appreciated.


Thanks.

Sep 3, 2013 7:01 PM in response to java-attack

java-attack wrote:


Again any thoughts would be much appreciated.

Any thoughts? Oh well, here goes....


You have described a process where you have some sort of "$600 hardware firewall", firmware passwords, and you are repartitioning your hard drives multiple times and reinstalling the OS. The problem reoccurs on every new machine your purchase. The mode of delivery is the Mac App Store and does not need your admin password to install itself.


The most logical explanation is that you are simply making it all up for entertainment.

Sep 3, 2013 7:22 PM in response to etresoft

I wish that was true, it is funny to me that people believe this stuff is not possible. I didn't notice it for a long time and then when the Java scare came out I started taking a look at system files just to make sure I didn't have anything strange looking.


When you go to the terminal and type in the command to show hidden files and then you find something that looks suspicious in the startupagents folder (Not the GUI start up items per user in which you can hit the "-" to remove) and find that it is a hidden alias to another folder burried deep in the system files that were all have realted... that makes you wonder.


What really makes you wonder is when you go to rename those files with the extension ".old" and it asks for the Admin User Name and PW to do so... someone starts typing on your keyboard like crazy so it was impossible for me to enter my PW. Obviously I shut down and uplugged the Ethernet cable, but it is crazy. There was no screen or file sharing access allowed and I didn't have any screen sharing software that I was using or had ever used in the past on that machine.


Believe me if you went through all the stuff that I have gone through and you ran the type of business I do that requires Security, you would be going crazy!


I have only posted in this forum 3 or 4 times and the reason I am doing so is to find someone out there that could possibly help or relate, I can assure you the last thing this experience has been is "Entertaining."


People can hack twitter, FB the Govt... but not a few Macs? Really?

Sep 3, 2013 8:10 PM in response to java-attack

java-attack wrote:


When you go to the terminal and type in the command to show hidden files and then you find something that looks suspicious in the startupagents folder (Not the GUI start up items per user in which you can hit the "-" to remove) and find that it is a hidden alias to another folder burried deep in the system files that were all have realted... that makes you wonder.


Those files are hidden for a reason. If you don't understand how it is designed, stay out of there.


What really makes you wonder is when you go to rename those files with the extension ".old" and it asks for the Admin User Name and PW to do so... someone starts typing on your keyboard like crazy so it was impossible for me to enter my PW. Obviously I shut down and uplugged the Ethernet cable, but it is crazy. There was no screen or file sharing access allowed and I didn't have any screen sharing software that I was using or had ever used in the past on that machine.


To repeat. Stay out of there and don't rename system files.


I have only posted in this forum 3 or 4 times and the reason I am doing so is to find someone out there that could possibly help or relate, I can assure you the last thing this experience has been is "Entertaining."


I didn't mean to imply that such an experience would be entertaining. I was saying that posting an elaborate and quite impossible story on an internet forum is something that some people find entertaining.


Given the information you originally provided, "entertainment" was the most likely explanation. With this new information, the most likely explaination is someone overly paranoid who tried some terminal commands they didn't understand and started hacking around on system files. In this situation, all bets are off. You were certainly not hacked. Why would anyone want to take control of your Mac in that state? Just reinstall the operating system and stop poking around in system folders and deleting files.

Sep 4, 2013 7:09 AM in response to etresoft

I don't think you get it...that was one time And deleting an alias that points to 3 very suspicious files still should not have someone start typing on my machine.


Again that was ONE TIME... since then I have completely wiped that computer and other Macs set all the security settings as mentioned in my first post, never touched the terminal or anything outside of the GUI and it is still happening. This has not been going on for a month it has been going on for over a year.


I have two IT guys that have watched this, one who is listed on the Apple Certificed Consultant page and the other one who is a CIsco Certified IT Pro... they are completely baffled up to this point.


Believe me this is not because I wrote a couple terminal commands and deleted renamed a file on a completely seperate computer 4 months ago!!


They find this scenario so interesting they are barely charging me as they want to get to the bottom of this as well.


I will shoot out a post if there are any findings, really just hoping that someone out there has experienced something similiar and will shoot out a post. I guess I will keep you guys posted, if and when this does get resolved.


Thanks.

Sep 4, 2013 8:05 AM in response to java-attack

java-attack wrote:


I don't think you get it...that was one time And deleting an alias that points to 3 very suspicious files still should not have someone start typing on my machine.

And you want us to solve the problem with you dribbling out tiny tidbits of information? Maybe you could start by explaining, in plain English, not whta you think is going on, but what you are seeing. Don't even bother saying the words virus, malware, hack, trojan, etc. That implies you already know the cause and will therefore withhold any and all information that does not support your hypothesis.


You see an alias? What alias? Where is it? What is its name? It points to 3 very suspicious files? What are they? Where are they? What are their names? This is basic, step 1 level information. Until you start doing that, no one is going to give you the time of day, unless they are charging you by the hour, of course. And I don't just mean the paths to those 4 files. I mean everything on your system that isn't as you expect and any behaviour that isn't as you expect. If you make any change, any change at all, based on what you see somewhere on the internet, all bets are off. You will be ignored until you reformat your hard drive and reinstall the OS.


Finally, and most importantly, you MUST start you own thread to describe the PROBLEMS you are SEEING, not the cause you suspect. Until that happens, you are just piggy-backing on a threat that has already been flagged by everyone as paranoia-central. This thread is DEAD, DEAD, DEAD!

Sep 4, 2013 8:31 AM in response to etresoft

I thought I was very specific in my first explanation about when I completly wipe my Mac setup an Admin Account, put every security measure in place and don't put an info about my iCloud account, don't login to iTunes nor the APP Store in the Admin account and then create a Standard Account.


After verifying that automatic downloads and updates are turned off and making sure that all manual updates have been checked and are up to date, then in my Standard Account I login to my APP Store. The second I do that my lanchpad begins to download an APP called "Mounain", if you search for it in the APP Store it is the second one next to Mountain Lion. Mountain is an APP that is used for peer-to-peer networking.


This APP downloads without me clicking on it, giving it Admin permission and the box for Permission that pops up is one that looks different than the typical Mac Box that would ask for permission of chaning settings or installing software in a Standard Account. This box says "storeagent is attempting to download software to your computer" and next to this storeagent is a grey box with the green letter "exec" It doesn't matter if choose cancel, OK or simply ignore it the Mountain APP still downloads.


I have been able to stop the instalation at times and it sits on the launch pad. However when the instalation is completed, which is extremely fast as the file is 2.1 MB it disappears from the LaunchPad.


Now I don't care if you want to use the word Malware, Trjoan, Virus, or whatever... but everyone from Apple Tier 2 Phone Support, to Apple Genius's and very experienced IT guys have no idea how this continues to come back.


I certainly am not trying to argue with you, but I am not a Mac Novice by any means and I have completly wiped systems more than 25 or so times. I never reinstall anything for Time Machine, etc... I am just trying to get past this initial problems, which has led to further problems. The worst being people being able to move the mouse, type, etc.


Now that I think of it though, in a way it is "Entertaining" ... because I have IT guys that come over and keep trying to figure out the problem and since I am a tech junkie, I am excited to find out what is causing this. I have heard too many people say, well that is impossible and then when they see it with their own eyes, they are like "***!!"


Anyway thanks for listening.

Sep 4, 2013 8:35 AM in response to java-attack

Xnav - Sorry I missed your question!


The answer is Yes I have tried it on other networks. In fact I just did an Internet Recovery in a remote location of Wisconsin at a Summer Home we own there. Same outcome... and that wasn't fun because the Internet Recovery part took hours and hours, compared to 15 minutes at my Urban home 😉


...Anyway same result with the APP that downloads by itself with no permission.


Thanks!

Sep 4, 2013 8:56 AM in response to xnav

Thanks Xnav...


I have my IT guy coming over tonight and he should be here for about 3 hours or so. I have more screenshots and screencasts to show him how this has happened again, even though he caught the majotiy of it last time. I have looked at that APP, the crazy thing is that I never purchased it and I have never seen it in the upper right hand corner with other items I have had installed previously.


Thanks again

Sep 4, 2013 9:55 AM in response to java-attack

java-attack wrote:


I thought I was very specific in my first explanation about when I completly wipe my Mac setup an Admin Account, put every security measure in place and don't put an info about my iCloud account, don't login to iTunes nor the APP Store in the Admin account and then create a Standard Account.


Try this - stop being so paranoid. Don't wipe anything. Whatever you were doing before to "secure" your machine - stop doing it.


This APP downloads without me clicking on it, giving it Admin permission and the box for Permission that pops up is one that looks different than the typical Mac Box that would ask for permission of chaning settings or installing software in a Standard Account. This box says "storeagent is attempting to download software to your computer" and next to this storeagent is a grey box with the green letter "exec" It doesn't matter if choose cancel, OK or simply ignore it the Mountain APP still downloads.


That dialog sounds like something that LittleSnitch might display. However, Little Snitch would only display that if it were horribly misconfigured.


If you are installing Little Snitch or any other kind of "security" or "clean up" software, then stop doing that. Macs don't need any of that. There are a handful of legitiate security tools like Little Snitch and a couple of legitimate antivirus tools like Sophos or Norton, but the other 99% of it is just scamware that will do more damage than harm. Your machine will work perfectly fine without any of it.


If you really want to see what is going on with your system, try running EtreCheck. Download EtreCheck from http://www.etresoft.com/etrecheck, run it, and paste the results here.



Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.


Sep 4, 2013 10:25 AM in response to etresoft

Hey Etersoft...


Thanks for the recommendation with the software. With the the past couple reinstalls I have only setup an Admin and Standard account and the basic security items toggled on that come with Mac. I definately agree that most of the 3rd party or APP Store security software is certainly not going to help and as you said might cause harm or certainly do nothing to help.


Again.. thanks for the recommendation and in the next day or two I will be certain to check this out as I have this form page bookmarked!


Thanks!

My macbook pro has a virus/trojan that is resetting the EFI via apci and it is getting root access privileges. It seems to be creating multiple aliases that bundle with rogue apps and preferences so it is very difficult to control or fix. Please help..

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.