Q: Monitoring / Supervision (visual / audio / key logging) via software intrusion or kext / rootkit?

Dear community people,

I am seriously concerned about the security of my Mac OS X system(s) (iMac, 10.11; MacBookPro, 10.10) and the integrity of the way data is processed and dealt with on it (them).

This question shall open a discussion on potential malware / spyware exploits and intrusion doors, and more importantly the ways to remove the code and prevent future intrusions.

I've done my best in researching the topic as far as it made sense to me, and although I am not a security expert, I don't see myself as a careless or unaware user.

The following part describes past security concerns in a summarized form:

[I've had weird things happen on my iMac for a rather long time, and it may certainly be that the problems which appeared first (mouse and keyboard behaving in an uncontrollable way at times, often after waking up from sleep mode) were due to some sort of OS X bug or even malware which may have been introduced by installations of unsigned software.

Back then, I've had OS X Mavericks 10.9.x running, and I did update the OS to 10.9.5 but then left it in the status quo for more than 1.5 years - as a music producer running Logic and a lot of third party plug-ins, interface drivers etc. I depend on compatibility of software updates with audio unit plug-ins of a broad range of manufacturers.

From time to time, several abnormalities could be noticed, the majority of them being observable in behavior of input devices such as Magic Mouse and Apple keyboard, even externally wire-connected Logitech mouses did that.

The most common problem here was that a right-click on the mouse produced a left-click on the screen, and some times also vice-versa (as you can do with holding down ctrl and clicking).

The problem which showed up much earlier was related to keyboard input when awakening the computer from sleep mode and being prompted for user password (unlock): I found that any key pressed on the keyboard (once!) results in an endless continuous input of characters as if keys were repeatedly being sent invisibly to the password field, and this problem could not be resolved other than by rebooting the machine - and then, it was only a matter of time until the problem returned.]

I put the above part in brackets because I don't know how probable a linkage to the recent problem is.

After completely unexpected issues of OS on my iMac (still 10.9.5, that was ~2 weeks ago) rebooting without any request (two Adobe CC apps were launching, then upon opening Spotify app the OS quit its service and directly a white screen with apple sign appeared, presumably trying to install some sort of software without having been asked or giving any notice), I wiped all data from the hard drive using Apple's disk utility software. I booted from an USB drive with El Capitan (10.11) installer (via createinstallmedia) on it and went through several deletion passes, assuming that potential mal- or spyware should have been gone by then.

Speed issues had disappeared after the clean install (which took a long time, believe me, due to the many system-bound authorizations stored on my computer) and kind of reappeared two or three days ago. I must admit that I installed a load of (legit) software though, but I paid attention only to install "trusted" packages. Most of them are audio software and plug-ins, such as Native Instruments Komplete and Waves effects etc., others are image processing software and also developer tools and utilities.

Software like the Avid Application Manager, required to launch ProTools 12, is one of the factors always slowing my system down, which has of course nothing to do with its integrity.

I guess I might have installed compromised packages somewhere but I don't find it very likely.

Furthermore, I doubt that anybody actually replaced ProTools installers on Avid's website or any other similarly trusted software product as it was done with TransmissionBT on Aug 28th and 29th (2016) ("Keydnap attack").

Still, I do believe that somehow a cleverly programmed malware code made it to my system core and hides from being discovered. The first thing I thought of was a code in form of an AppleScript because such signs randomly show up on system shutdowns. I don't know if that is a legit suspicion. Carry on reading, I'll come to the point.

One or two days ago, I shut down my computer unexpectedly (I think Carbon Copy Cloner had got stuck) and noticed potential signs of supervision software running on my system covertly. Just before the "white screen", a grey menu bar showed up on top of the screen, reading "OS X [someword]" - I had a second or so before it disappeared, but I think it read "Partner supervision" - so that would give "OS X partner supervision" (translated from German).

Possibly, this is part of Apple's DEP program for enterprises, but this is my personal computer and private system - none of the systems I own has any relationship to businesses / corporations etc. and any kind of these attacks can thus be legitimately considered as a highly criminal act.

the questions asked are:

- how can I verify what service this was, and then remove it, if positive?

- is it possible for some software to inject malicious codes in the kernel and then act as a rootkit? any help on how to effectively check for and kill such modifications and possible data logging / supervision / transmission would be appreciated. As stated, I expect possible activities in this field to be hidden proficiently from the eyes of an "average user". The concern underlaying is that some software in the style of "child supervision" misused by people with nefarious intentions might have infected my system.

- can I trace logging via opensnoop / Dtrace (for instance)?

- Is it possible that someone can install such malicious software using my Apple-ID and password, potentially stolen from the keychain?

- if the corresponding code(s) are persistent, what can I do to delete them? Can malware sources burn themselves to an "untouched" part of the drive and "resurrect" upon a clean install of the OS or update?

I'm trying to get rid of any potential exploit as soon as possible.

Thanks for your help, and for reading the description!

(I'm new to the community and hope you'll forgive me potential formal mistakes)