Traveling Rootkit

First of all, I believe you! Do you have any idea how the Mac became infected? It sounds like you contracted one of the new extremely rare firmware attacks. That means it's re-written your firmware to inject the rootkit every time you boot. If that is what happened, unfortunately you cannot remove it. You cannot overwrite the firmware. You would have to ship it back to Apple and have the system board replaced. This isn't just an Apple problem, there are PC rootkits capable of similar attacks. Another possible item is the root kit could be installed in the hard drive firmware. Attacks of this nature have been witnessed in the last 3-4 years and until recently were likely state sponsored groups behind them. This is not a run of the mill infection, it's quite advanced.

Final option to truly confirm the rootkit is in the firmware would be to do the following:

1. Buy a new thumb drive 8gb+ (preferably one with a write protect hardware switch or external forensics write blocker device)

2. Plug it ONLY into a known clean Mac and download Yosemite and burn to the thumb drive

3. Replace the internal Mac hard disk

4. Boot only from the write protected thumb drive and install Yosemite

5. If the rootkit shows up then it has to be coming from the Mac firmware

6. Sorry... You have a brick...

There really is no way around this, the firmware is used to boot and will always re-install the rootkit as you have noticed. Apple may be able to overwrite the firmware or replace the chip at their factory.

You might try to find a security researcher who would be willing to buy the Mac purely for the forensics and reverse engineering of this attack.

http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-m alware-that-jumps-airgaps/

http://arstechnica.com/security/2015/06/new-remote-exploit-leaves-most-macs-vuln erable-to-permanent-backdooring/

At some point malicious software was run as root or admin privileges that allowed the firmware to be overwritten. As a precaution in future, set a firmware password and ensure root account remains disabled and that you do not run a primary account as admin. Be extremely careful installing software. Avoid pirated software as many contain malicious payloads. Avoid the dangerous underbelly of the Internet / darknet, etc.

Underlying errors reported (indicates the disk media may be faulty)

The screenshot has "Disk IO errors" (potential disk issues)

Looks like your internal disk is damaged/ failed/ unreliable. Disks do not last forever, has it ever been replaced, I assume it is for the 17" Macbook Pro (from around 2012)?

Take it to an Apple store ask for a test or a quote to replace it. Or find someone to do it for you. ifixit.com will have a guide for a HD replacement. Apple hardware test will do some basic tests & may verify if the disk is having issues…

How to use Apple Hardware Test on your Mac - Apple Support

I think some models also had bad SATA drive cables that can fail, so a store may advise you on that.

As for the rest of your issues – sorry life is too short to try to parse and process everything you wrote.

TLDR: Almost 1000 words…

• Wi-Fi issue
• 2 factor issue
• Screenshot issue
• Display port issue
• Black screen issue
• 'Magical' HP printer issue
• 3-4 routers
• Installer issue
• EFI issue
• Autosave cannot save (seems OK as the disk appears to be an installer DVD, no idea how that situation arose)
• Whatever else I missed… and this is about 5% of your issues

You will probably get better answers if you explain each issue concisely in your own topic without the references to other devices. There is little point hijacking this old thread, nothing appears to have fixed the OP's issue. This thread also assumes an unlikely & rare occurrence is the answer to all the issues (a rootkit) - how about ruling out all of the simpler explanations first.

All of these issues in one device could indicate you have a 'lemon', a device that is plagued by issues & needs an expert to diagnose and/or repair, with all respect, you don't seem to talk like a computer expert, seek help from someone else.

Also perhaps you are just bad with technology, nothing is wrong with that but you should seek help from a third party. There are many things I cannot do (plumbing, brain surgery…) so paying someone else is the only option I have, otherwise I cause bigger problems.

[P.S. above is 370 words & is probably considered to long by some, I shall not be adding more to this thread]

I see nothing here but a work of fiction. Especially phones with no power source of any kind (you removed the batteries) still magically continuing to be infected with - something.

Restart the Mac and hold down the Command+Option+R keys to boot into Internet Recovery Mode. The Mac boots to its firmware this way, bypassing anything on the drive completely. Launch Disk Utility and click on the physical drive name at the far left. Choose the Partition tab. Change the default of "Current" to something else. If the drive is one partition now, and that's all you want, choose 1 Partition. Click Apply.

This will entirely wipe out the drive, including the current hidden Recovery partition. When it's done, exit Disk Utility and choose to install OS X. The version your Mac shipped with will be installed and all will be squeaky clean.

Newly leaked documents 3/23/17, Networkworld.com, Wikileaks confirms low-level intelligence hacks on iphone and Macbookpro using Sonic Screwdriver and Der Starke rootkit,malware. Using Extensible Firmware Interface-EFI and will infect firmware to the the kernel and beyond. Many don't understand what and why this affects their iPhones and MacBooks at the same time! Look on Networkworkworld.com/Newly leaked documents show low level, etc.Definitely a firmware install in most cases as the article states. Sorry for your trouble,maybe this is it.. It may work with thunderbolt 2 as well.

Sonic Screwdriver

An interesting find, but old news. Apple has a patch that's been in effect for that for quite a while. Macs built after 2013 cannot be affected. Der Starke is also from about 2013. As one of the few the articles that even came up in a Google search that discusses it, they're not sure it even works anymore. This PDF talks about it at a bit more length. Once again, affected Macs (that they know of) are those built before 2013. So, it would appear this is also a dead threat already patched against.

Glad to read "wikileaks" article is old news. Still new to mac and really appreciate the advice to re-set router passwords. Admin is not a password! This whole exchange is super helpful for me. So much scatter and rumor on web.. Thanks for the router tip. What we are being told is sometimes not based on reality!

I’m not quite certain where to begin. It took me at least 10 minutes trying to log in to the board in order to post this.

Scissor, how unbeliably relieving it was to read your post. People have been asking about my “foil hat” for some time - I’ve finally gotten to the point where I just don’t talk about all the “anomalies” I’ve experienced.

I’m posting this (or attempting to) from my phone that obviously has some issues. In just logging in with my two factor authentication, no text received...at least no pop-up. My secondary line which I have never connected to WiFi, did receive it. Clicking the 6 digit empty boxes to input that code, the bottom of my screen created a white area about 1/3 of an inch wide - where the keyboard should have been.

I took a video from another device as screen shots from this one didn’t seem to work. Where the keyboard should have been, pressing the area would actually input numbers - and then after about 15 seconds...black screen with the white scrolling circle. Likely some very odd glitch or “anomaly”, which I’ve just come accustomed to at this point. Finally a hard reset I was able to see the keypad and login.

That being said - I completely believe everything you’re saying. I’d love to actually reach out to someone who has experience in dealing with this sort of thing - I’m at my wits end.

My “issues” started about 4 years ago. I won’t bother getting into what those issues are- I will say that perhaps much of them are simply just bugs and glitches that are expected in devices and such.

I’ll just say that I can more or less pinpoint when and how these almost exact anomalies you experience started for me.

I have one of the last MacBook Pro 17” models made. I have 3 or 4 Mini DisplayPort adapters, as they would malfunction and I’d buy another - using that laptop on an external monitor. I can even pinpoint where and when I bought those adapters.

I could write a novel, I won’t. I’m hoping an expert here might put my mind at ease on this one issue (with this laptop).

Fast forward 3.5 years of these “issues” I’ve gotten to the point where I do my best to ignore them.

So, this computer I wouldn’t dare power on. Until recently. I found the original box, and Snow Leopard install disk, along with the hardware disk that came with the laptop. (Countless internet recoveries and also bringing into the Apple store for the same - well...I’ll say I’ve had the same issues as you).

I had found the disk I suppose well over two years ago, and this particular laptop obviously has a built in drive. In recovering from this disk, the computer scratched it up badly. I’m sure the drive just had some debris or something that causes it, who’s to say. (Sorry if I jump all over the place...trying to get this posted before my “battery goes dead”).

There has always been an HP printer broadcasting WiFi where I ended up leaving the laptop (family home). It’s a rural area and on the property a $300+ router, you’re lucky if you get 1 bar sitting outside. Yet always that HP printer was here, full bars just about anywhere you’d go. Must have been a neighbor with an amplified WiFi antenna on their roof. Ha.

I cut the power to the entire home at one point, the only signal was yep, an HP printer. I let it go and left the laptop in a drawer (thinking I had disconnected the battery).

6 months ago, that computer had been in the drawer for a year+. I turned it on and it booted right up, I had forgotten to disconnect the battery. I pulled it out because these anomalies seemed to have subside and I just thought well - maybe they were indeed just glitches and bugs that were worked through (and I’m just paranoid). The HP printer broadcast had disappeared. And granted I have been through 3-4 routers (all of which when I connect them to the network, the manual reset / factory reset button(s) cease to function. (Perhaps my paperclips are faulty). I wanted to try fixing that laptop anyway.

I bought a device that removes scratches from CD’s, a high end one. Polished it right up. Popped that puppy in the laptop (I disconnected the WiFi and Bluetooth from the board...the antennas anyway)...and started the recovery mode.

I’m hoping this screenshot posts...someone tell me this is completely normal so I can relax. “Error downloading photo from iCloud library”...another glitch and normal - im sure. Tried duplicating it “an error occurred while trying to duplicate this photo”. Thought that might work. It will not let me post a screenshot of this log file. Once I post this I’ll call do my best to figure a workaround.

The first thing the log says is...well, I can’t get this photo attached, and now have posted by mistake.

Anyone on why I can’t attach a photo? It will take me some type to type it all as it is. I’d never have transferred it to a USB (this was six months ago anyway).

The first thing the log file more or less does in the OSX installation is to install printer drivers, nearby printers, and it would hang first thing on an HP printer driver installation.

It halted at NSCocoaDomain Code=642 UserInfo=0x120411680 “You can’t save the file “Autosave information” because the volume “Mac OS Install DVD is read-only.” (Underlying error=.....etc it goes on and on.

I’m willing do donate this along with so many other devices for no other reason that someone telling me I’m not completely crazy.

Oh, and I might mention I had the same error trying to upload images to apples engineering department (over a different device and different situation all together - and also from a different computer) - and the images wouldn’t upload. The senior advisor couldn’t figure it our. I ended up having to email them, and he relayed them - but initially had told me uploading through the website was the only way.

This issue is but about 5% of all the anomalies I’ve run into. I’m surprised I finally was able to post anything here.

Just hoping someone has some feedback and info on how to get a screenshot on here so you guys Sam see this log file.

And one more thing on that laptop, I had tried years ago installing the EFI update, it always failed upon restart. At the time I never thought anything if it.

TMTR. Is there a question in there somewhere?

I read it and was unable to find the question also.

Sarcastic answer are not going to help you get any answers. It is more likely it will scare users all.