ALL System Root Certificates Invalid in 10.12.3!

Question

Level 3

759 points

ALL System Root Certificates Invalid in 10.12.3!

Hi,

Any help is appreciated. I unboxed my new MBP 2016 today and immediately upgraded to 10.12.3. However, upon examination of my keychain, I get the following for literally EVERY System Root Certificate in Code Signing Evaluation:

I get the following with generic evaluation:

Needless to say, this seems completely bizarre to me.

To give you some backstory, I did have a previous MBP and iPhone 6s get hacked into obliteration. Please note, I never jailbroke or modified either of them, no Darknet, etc. I'm generally a good boy on the internet. However, I experienced full data loss, destruction of business website, redirection of its domain, stolen CC's, I could go on and on. Anyhow, after the local Apple Store unlocked the BIOS, which was kind of part 1 of the hack, they supposedly reinstalled a clean version of Sierra, the machine was still leaking some very strange packets observed in a Wireshark analysis. This was even after shutting down my original ISP account, opening a new one and replacing my router with a Nighthawk AC1900.

On the previously hacked machine, I experienced a similar issue, although in that case the code signing evaluation yielded the following: "root ALSO in system roots: invalid key usage, invalid extended key usage". Therefore, this freaks me out a good bit.

So, I did a FULL scrub of all things digital. I replaced ALL hardware, changed ISP's, eliminated old email accounts and created new ones (I use Protonmail now), new iCloud account - literally everything you could imagine to ensure that short of changing physical addresses, my former digital identity was erased. To give further context, I now have to walk into my two banks and present two forms of ID and a verbal password to handle money.

Anyways, enough of the backstory, that should be sufficient. But, needless to say, I'm paranoid now that somehow, someway maybe I let something traverse to this new system. However, those old devices aren't even in my house, so I don't know how such a thing is possible and I'm connecting to the internet via tethering from my iPhone that was setup with a new carrier and phone number during the aforementioned scrubbing process.

If you need anymore detail, please feel free to ask, but I'll leave it at that for now. However, I am super paranoid now and would really appreciate some clarity on this issue from an expert (AppleCare has been useless throughout this process, I've even spoken with engineers who haven't been capable of giving me answers). So, here I am, coming to this community for help. In return, I will actively participate in helping others because I like and still believe in Apple products and have observed the community for a long time and now want to be a real part of it.

Thanks in advance to anyone who can provide some help and/or clarity on this matter.

Best Regards,

Andrew Schweiger

MacBook Pro with Retina display, macOS Sierra (10.12.3), null

Posted on Jan 24, 2017 3:32 PM

Reply

Answer 1

Drew Reece

Level 6

10,684 points

Jan 27, 2017 2:17 PM in response to Schwigs

If Apple tell you to contact the government/ law enforcement then that is what you should do. We can't help via the internet. EFI attacks have been discussed in various research papers but cannot be solved via forums like this (if they can be solved at all). Frankly if the EFI is 'hacked' you need to abandon the Mac, look at the research papers if you think I am being harsh. EFI attacks are potentially insidious alterations that cannot be removed, 3 letter agency stuff beyond most script kiddies & jilted ex's.

Mac's do not have 'BIOS', they use EFI instead. There is a nuanced difference between them. It makes me think you are being duped or not listening to what the technicians are telling you when you claim it had to be 'bios unlocked'. Misunderstanding critical details seems to be part of your problem…

'Disk Utility' as you call it seems more likely to be the recovery system - it has a lot of complex 'juggling' to do. Having many partitions mounted in that mode has always been the case as far as I can tell. It is running an entire OS & repair system from a 650MB partition. I have 17 partitions listed in df when running inside a 10.9 recovery OS, 2 are external disks the rest is part of how recovery works (or maybe everyone is 'EFI hacked' OMG!?!?).

df is disk free space, not disk find.

It may be normal for multiple listings to be shown in df, I have /home, /dev and /net for example in a normal boot, it really depends on what the Mac is doing, certain apps will mount dmgs invisibly for updates etc (Google and Adobe seem to do it a lot).

You keep asserting the certificates 'are not found in root' but that is NOT THE CASE. The certs are valid - look at the text next to the green checkmark! I'm convinced you are simply running tests on a cert that are inappropriate and you have not acknowledged that at all.

Schwigs wrote:

So, here's what I'm thinking -- maybe take the machine back to Best Buy and exchange for new one. Power off my iPhone (who knows, it could be the source of the problem though I have a new one on a new account with a new number like I said and it never "touched" any of the dirty hardware) just in case, setup the machine in the parking lot and see what happens?

Do that or visit any Apple store - run your same certificate validation on their Macs using the same faulty option (code signing) you should see the same thing that you claim is an error. I believe the error is that you are choosing the wrong option to evaluate the cert.

Schwigs wrote:

Idk, maybe I'm a paranoid *******, but we did find that someone put a packet sniffer somewhere near my property when I got hacked. It was attached to my wifi (which has since been disposed of, only use USB tethering now), but I've wondered if it was Bluetooth or NFC capable as well. All you'd have to do is hook it to a cell phone and power supply and poof, you can hack me all day with the right tools.

Have you even read the Etrecheck report you posted?

[loaded] com.apple.bluetooth.PacketLogger.plist (2016-09-09) - /AppleInternal/DevTools/Hardware/PacketLogger.app/Contents/MacOS/PacketLogger: Executable not found!

That looks like a packet logger that is probably part of the Apple store iOS test tools - your Mac is not as clean as you think. Google it…

https://www.theiphonewiki.com/wiki/Apple_Internal_Apps

It was once set to run but now those tools are missing from that location.

Schwigs wrote:

Last question before I do that - is there any way to verify root certs directly with Apple via an SSL connection or something like that? I mean, all of mine match up with what's on their list for Sierra, but if they're in the wrong "place", then that seems screwy.

Apple's site listing the certs already uses SSL the URL is httpS

List of available trusted root certificates in macOS Sierra - Apple Support

View that page on a computer or device that you do not think is 'hacked'. Check the cert on that site too before you trust the page. I don't know what you mean by the certs being in the 'wrong place'. If they were wrong they would not validate.

You can't 'reflash the original firmware' if you believe the EFI is hacked - that is the point of those attacks, seriously get rid of the Mac.

I'm afraid I don't think I can help you beyond the info above.

You appear to be making assumptions & misunderstanding parts of the OS that is normal. You may need to turn your focus towards yourself instead of the Mac - how much do you really know to judge what is faulty or unusual on macOS?

Perhaps it is just how it goes when trying to troubleshoot issues like this via the internet. Unfortunately it appears to be a never ending problem with you finding more reasons to assume, misunderstand & create ideas that the Mac is not correct. I'd wipe it to remove the Apple left overs from Apple's tools.

I suggest you simply erase the Mac & return it or contact the government/ law enforcement.

Reply

Answer 2

Drew Reece

Level 6

10,684 points

Jan 24, 2017 9:09 PM in response to Schwigs

It is not clear what revelation those image are meant to show - Certification Assistant is for making your own signed certs & vertifying others, provided you choose the correct options. I do not think you should try to use Apple's code signing policy to evaluate that root certificate (or any other root cert - I doubt they have code signing enabled).

If you want to confirm the installed certificates are legit you need to compare to the ones that Apple list…

List of available trusted root certificates in macOS Sierra - Apple Support

Or for earlier OS's Lists of available trusted root certificates in macOS - Apple Support

and iOS…

Lists of available trusted root certificates in iOS - Apple Support

I get the same 'error' when trying to evaluate Apple Root CA as a code signing cert on 10.9. I also get an 'error' when I hit screws into wood with a hammer, something about using the wrong tools to do a job springs to mind… 🙂

I may be totally wrong, certificates are a minefield of complexity if you want to get into detail, however I think you are evaluating using the wrong settings & assuming everything is bad.

It looks fine if I evaluate as a generic (certificate chain validation). Hit the 'learn more' button to get info on trust policies if you have that button…

Reply

Answer 3

Schwigs Author

Level 3

759 points

Jan 24, 2017 9:20 PM in response to Drew Reece

Thank you sincerely for the info, Drew. It just seems odd is all and with what I went through recently I'm just rather spooked over everything. I can't imagine a clean machine could get hacked or corrupted so quickly, but it gives me pause nonetheless. If I were to explain the whole hack and everything that followed you'd think I was a lying psychopath, so I won't go further into it, but I do want to make sure I cover all my bases.

Here is another one, albeit a different result I got with code signing:

It just seems odd that when evaluating that Keychain doesn't find the actual ROOT certificate in the ROOT. But, if I'm not the only one to experience this issue then I suppose it's worth letting go. I ran an Etrecheck just for the **** of it and the results are below. I suppose I'll let it go since I didn't get a flood of alarming responses, but I also couldn't find anything of the sort on Google, so I figured I'd bring it here. I any event, I appreciate you taking the time to respond. If you see anything further that raises an eyebrow, I'd be grateful for your feedback. Otherwise, I'll just off off. Thanks, Drew!

EtreCheck version: 3.1.5 (343)

Report generated 2017-01-25 00:15:28

Download EtreCheck from https://etrecheck.com

Runtime 1:23

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Show signature failures: Enabled

Ignore known Apple failures: Disabled

Hide Apple tasks: Disabled

Problem: Other problem

Description:

Certificates not in root

Hardware Information:ⓘ

MacBook Pro (Retina, 15-inch, Mid 2015)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro11,4

1 2.2 GHz Intel Core i7 (i7-4770HQ) CPU: 4-core

16 GB RAM Not upgradeable

BANK 0/DIMM0

8 GB DDR3 1600 MHz ok

BANK 1/DIMM0

8 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: Unknown Battery: Health = Normal - Cycle count = 2

Video Information:ⓘ

Intel Iris Pro

Color LCD 3840 x 2400

System Software:ⓘ

macOS Sierra 10.12.3 (16D32) - Time since boot: about 2 hours

Disk Information:ⓘ

APPLE SSD SM0256G disk0 : (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / [Startup]: 249.78 GB (221.34 GB free)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 250.14 GB Online

USB Information:ⓘ

Apple Inc. Apple Internal Keyboard / Trackpad

Broadcom Corp. Bluetooth USB Host Controller

Apple Inc. iPhone

Thunderbolt Information:ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper:ⓘ

Mac App Store

System Launch Agents:ⓘ

[loaded] com.apple.AOSHeartbeat.plist (2017-01-24)

[loaded] com.apple.AOSPushRelay.plist (2017-01-24)

[loaded] com.apple.AddressBook.AssistantService.plist (2017-01-24)

[running] com.apple.AddressBook.ContactsAccountsService.plist (2017-01-13)

[running] com.apple.AddressBook.SourceSync.plist (2017-01-24)

[loaded] com.apple.AddressBook.abd.plist (2017-01-24)

[running] com.apple.AirPlayUIAgent.plist (2017-01-24)

[loaded] com.apple.AirPortBaseStationAgent.plist (2016-09-13)

[not loaded] com.apple.AppleGraphicsWarning.plist (2017-01-24)

[loaded] com.apple.AskPermissionUI.plist (2017-01-24)

[loaded] com.apple.AssetCacheLocatorService.plist (2017-01-13)

[loaded] com.apple.AssistiveControl.plist (2017-01-24)

[running] com.apple.CalendarAgent.plist (2017-01-13)

[running] com.apple.CallHistoryPluginHelper.plist (2017-01-13)

[running] com.apple.CallHistorySyncHelper.plist (2017-01-13)

[running] com.apple.CommCenter-osx.plist (2017-01-13)

[running] com.apple.ContactsAgent.plist (2017-01-13)

[loaded] com.apple.ContainerRepairAgent.plist (2017-01-13)

[running] com.apple.CoreAuthentication.agent.plist (2017-01-13)

[loaded] com.apple.CoreLocationAgent.plist (2017-01-24)

[loaded] com.apple.CoreRAIDAgent.plist (2017-01-13)

[running] com.apple.CryptoTokenKit.ahp.agent.plist (2017-01-13)

[loaded] com.apple.DataDetectorsLocalSources.plist (2017-01-13)

[loaded] com.apple.DiagnosticReportCleanup.plist (2017-01-13)

[loaded] com.apple.DictationIM.plist (2017-01-24)

[loaded] com.apple.DiskArbitrationAgent.plist (2017-01-13)

[running] com.apple.Dock.plist (2017-01-24)

[loaded] com.apple.DwellControl.plist (2017-01-24)

[loaded] com.apple.EscrowSecurityAlert.plist (2017-01-24)

[loaded] com.apple.FTCleanup.plist (2016-09-13)

[loaded] com.apple.FileStatsAgent.plist (2016-09-13)

[loaded] com.apple.FilesystemUI.plist (2017-01-24)

[running] com.apple.Finder.plist (2017-01-24)

[loaded] com.apple.FirmwareUpdateHelper.plist (2017-01-24)

[running] com.apple.FolderActionsDispatcher.plist (2017-01-24)

[running] com.apple.FollowUpUI.plist (2017-01-24)

[loaded] com.apple.FontRegistryUIAgent.plist (2017-01-24)

[loaded] com.apple.FontValidator.plist (2017-01-13)

[loaded] com.apple.FontValidatorConduit.plist (2017-01-13)

[loaded] com.apple.FontWorker.plist (2017-01-13)

[loaded] com.apple.IMLoggingAgent.plist (2017-01-13)

[loaded] com.apple.InstallerProgress.la.plist (2017-01-24)

[loaded] com.apple.LocalAuthentication.UIAgent.plist (2017-01-13)

[loaded] com.apple.MRTa.plist (2017-01-24)

[loaded] com.apple.ManagedClientAgent.agent.plist (2017-01-13)

[not loaded] com.apple.ManagedClientAgent.enrollagent.plist (2017-01-13)

[running] com.apple.Maps.pushdaemon.plist (2017-01-13)

[loaded] com.apple.NetworkDiagnostics.plist (2017-01-24)

[loaded] com.apple.NowPlayingTouchUI.plist (2017-01-24)

[running] com.apple.OSDUIHelper.plist (2017-01-24)

[loaded] com.apple.PCIESlotCheck.plist (2017-01-13)

[loaded] com.apple.PIPAgent.plist (2017-01-24)

[loaded] com.apple.PackageKit.InstallStatus.plist (2017-01-24)

[loaded] com.apple.PhotoLibraryMigrationUtility.XPC.plist (2017-01-24)

[loaded] com.apple.PubSub.Agent.plist (2017-01-24)

[loaded] com.apple.RemoteDesktop.plist (2017-01-24)

[loaded] com.apple.ReportCrash.Self.plist (2017-01-13)

[loaded] com.apple.ReportCrash.plist (2017-01-13)

[not loaded] com.apple.ReportGPURestart.plist (2017-01-13)

[loaded] com.apple.ReportPanic.plist (2017-01-24)

[loaded] com.apple.SSInvitationAgent.plist (2017-01-24)

[running] com.apple.Safari.SafeBrowsing.Service.plist (2016-09-13)

[running] com.apple.SafariCloudHistoryPushAgent.plist (2017-01-13)

[running] com.apple.SafariNotificationAgent.plist (2017-01-13)

[loaded] com.apple.SafariPlugInUpdateNotifier.plist (2017-01-13)

[loaded] com.apple.ScreenReaderUIServer.plist (2017-01-24)

[running] com.apple.Siri.plist (2017-01-24)

[running] com.apple.SocialPushAgent.plist (2017-01-24)

[running] com.apple.Spotlight.plist (2017-01-24)

[loaded] com.apple.StorageManagementUIHelper.plist (2017-01-24)

[running] com.apple.SystemUIServer.plist (2017-01-24)

[loaded] com.apple.TMHelperAgent.SetupOffer.plist (2017-01-24)

[loaded] com.apple.TMHelperAgent.plist (2017-01-24)

[loaded] com.apple.TrustEvaluationAgent.plist (2017-01-13)

[running] com.apple.USBAgent.plist (2017-01-13)

[running] com.apple.UserEventAgent-Aqua.plist (2016-09-13)

[not loaded] com.apple.UserEventAgent-LoginWindow.plist (2016-09-13)

[not loaded] com.apple.UserNotificationCenterAgent-LoginWindow.plist (2017-01-24)

[loaded] com.apple.UserNotificationCenterAgent.plist (2017-01-24)

[loaded] com.apple.VoiceOver.plist (2017-01-24)

[loaded] com.apple.WebKit.PluginAgent.plist (2017-01-24)

[running] com.apple.WiFiVelocityAgent.plist (2017-01-13)

[loaded] com.apple.ZoomWindow.plist (2017-01-24)

[loaded] com.apple.accessibility.dfrhud.plist (2017-01-24)

[running] com.apple.accountsd.plist (2017-01-13)

[loaded] com.apple.akd.plist (2017-01-13)

[loaded] com.apple.alf.useragent.plist (2017-01-13)

[loaded] com.apple.appleseed.seedusaged.plist (2017-01-13)

[loaded] com.apple.appsleepd.plist (2017-01-13)

[loaded] com.apple.appstoreupdateagent.plist (2017-01-13)

[loaded] com.apple.apsctl.plist (2017-01-13)

[running] com.apple.askpermissiond.plist (2017-01-13)

[loaded] com.apple.assistant_service.plist (2017-01-13)

[running] com.apple.assistantd.plist (2017-01-13)

[loaded] com.apple.avconferenced.plist (2017-01-13)

[running] com.apple.bird.plist (2017-01-13)

[loaded] com.apple.bluetooth.PacketLogger.plist (2016-09-09) - /AppleInternal/DevTools/Hardware/PacketLogger.app/Contents/MacOS/PacketLogger: Executable not found!

[loaded] com.apple.bluetoothUIServer.plist (2017-01-24)

[loaded] com.apple.btsa.plist (2017-01-24)

[running] com.apple.cache_delete.plist (2017-01-13)

[running] com.apple.cdpd.plist (2017-01-13)

[loaded] com.apple.cfnetwork.AuthBrokerAgent.plist (2016-09-13)

[loaded] com.apple.cfnetwork.cfnetworkagent.plist (2016-09-13)

[running] com.apple.cfprefsd.xpc.agent.plist (2017-01-13)

[running] com.apple.cloudd.plist (2017-01-13)

[loaded] com.apple.cloudfamilyrestrictionsd-mac.plist (2017-01-13)

[running] com.apple.cloudpaird.plist (2017-01-13)

[running] com.apple.cloudphotosd.plist (2017-01-24)

[running] com.apple.cmfsyncagent.plist (2017-01-24)

[loaded] com.apple.controlstrip.plist (2017-01-24)

[loaded] com.apple.coreservices.UASharedPasteboardProgressUI.plist (2017-01-24)

[running] com.apple.coreservices.appleid.authentication.plist (2017-01-13)

[running] com.apple.coreservices.lsactivity.plist (2017-01-13)

[running] com.apple.coreservices.sharedfilelistd.plist (2017-01-13)

[running] com.apple.coreservices.uiagent.plist (2017-01-24)

[loaded] com.apple.csuseragent.plist (2017-01-13)

[loaded] com.apple.ctkbind.plist (2017-01-13)

[running] com.apple.ctkd.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3425AMD_i386.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3425AMD_i386_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3425AMD_x86_64.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3425AMD_x86_64_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3600_i386.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3600_i386_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3600_x86_64.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent3600_x86_64_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgentLegacy_i386.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgentLegacy_i386_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgentLegacy_x86_64.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgentLegacy_x86_64_1.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent_i386.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent_i386_1.plist (2017-01-13)

[running] com.apple.cvmsCompAgent_x86_64.plist (2017-01-13)

[loaded] com.apple.cvmsCompAgent_x86_64_1.plist (2017-01-13)

[running] com.apple.diagnostics_agent.plist (2017-01-13)

[loaded] com.apple.diskspaced.plist (2017-01-13)

[running] com.apple.distnoted.xpc.agent.plist (2017-01-13)

[loaded] com.apple.dt.CommandLineTools.installondemand.plist (2017-01-24)

[loaded] com.apple.eosauthagent.plist (2017-01-13)

[loaded] com.apple.eospreflightagent.plist (2017-01-13)

[running] com.apple.familycircled.plist (2017-01-13)

[loaded] com.apple.familycontrols.useragent.plist (2017-01-24)

[loaded] com.apple.familynotificationd.plist (2017-01-24)

[loaded] com.apple.findmymacmessenger.plist (2017-01-24)

[running] com.apple.followupd.plist (2017-01-13)

[loaded] com.apple.fontd.useragent.plist (2017-01-13)

[running] com.apple.gamed.plist (2017-01-13)

[running] com.apple.geodMachServiceBridge.plist (2017-01-13)

[loaded] com.apple.helpd.plist (2017-01-13)

[loaded] com.apple.iCloudUserNotifications.plist (2017-01-24)

[running] com.apple.icdd.plist (2017-01-13)

[loaded] com.apple.icloud.findmydeviced.findmydevice-user-agent.plist (2017-01-13)

[running] com.apple.icloud.fmfd.plist (2017-01-13)

[running] com.apple.iconservices.iconservicesagent.plist (2017-01-13)

[running] com.apple.identityservicesd.plist (2017-01-24)

[loaded] com.apple.idsremoteurlconnectionagent.plist (2017-01-24)

[running] com.apple.imagent.plist (2017-01-24)

[loaded] com.apple.imautomatichistorydeletionagent.plist (2017-01-24)

[loaded] com.apple.imavagent.plist (2017-01-24)

[running] com.apple.imklaunchagent.plist (2017-01-13)

[loaded] com.apple.imtransferagent.plist (2017-01-24)

[loaded] com.apple.installandsetup.migrationhelper.user.plist (2017-01-13)

[loaded] com.apple.installd.user.plist (2017-01-13)

[loaded] com.apple.isst.plist (2017-01-13)

[loaded] com.apple.java.InstallOnDemand.plist (2016-09-13)

[loaded] com.apple.java.updateSharing.plist (2016-09-13)

[running] com.apple.keyboardservicesd.plist (2017-01-13)

[loaded] com.apple.languageassetd.plist (2016-09-13)

[running] com.apple.lateragent.plist (2017-01-24)

[loaded] com.apple.locationmenu.plist (2017-01-24)

[loaded] com.apple.loginwindow.LWWeeklyMessageTracer.plist (2017-01-13)

[running] com.apple.lsd.plist (2017-01-13)

[loaded] com.apple.maspushagent.plist (2017-01-13)

[loaded] com.apple.mbbackgrounduseragent.plist (2017-01-13)

[loaded] com.apple.mbfloagent.plist (2017-01-13)

[loaded] com.apple.mbuseragent.plist (2017-01-13)

[loaded] com.apple.mdmclient.agent.plist (2017-01-13)

[loaded] com.apple.mdworker.32bit.plist (2017-01-13)

[loaded] com.apple.mdworker.bundles.plist (2017-01-13)

[loaded] com.apple.mdworker.isolation.plist (2017-01-13)

[loaded] com.apple.mdworker.lsb.plist (2017-01-13)

[loaded] com.apple.mdworker.mail.plist (2017-01-13)

[loaded] com.apple.mdworker.shared.plist (2017-01-13)

[loaded] com.apple.mdworker.single.plist (2017-01-13)

[running] com.apple.mdworker.sizing.plist (2017-01-13)

[loaded] com.apple.mediaanalysisd.plist (2017-01-13)

[running] com.apple.mediaremoteagent.plist (2017-01-13)

[loaded] com.apple.metadata.mdbulkimport.plist (2017-01-13)

[running] com.apple.metadata.mdflagwriter.plist (2017-01-13)

[loaded] com.apple.metadata.mdwrite.plist (2017-01-13)

[loaded] com.apple.midiserver.plist (2017-01-13)

[loaded] com.apple.navd.plist (2017-01-13)

[loaded] com.apple.neagent.plist (2017-01-13)

[loaded] com.apple.netauth.user.auth.plist (2017-01-24)

[loaded] com.apple.netauth.user.gui.plist (2017-01-24)

[running] com.apple.networkserviceproxy-osx.plist (2017-01-13)

[running] com.apple.noticeboard.agent.plist (2017-01-24)

[running] com.apple.notificationcenterui.plist (2017-01-24)

[running] com.apple.nsurlsessiond.plist (2017-01-13)

[running] com.apple.nsurlstoraged.plist (2017-01-13)

[loaded] com.apple.parentalcontrols.check.plist (2017-01-13)

[running] com.apple.parsecd.plist (2017-01-13)

[running] com.apple.passd.plist (2017-01-13)

[running] com.apple.pboard.plist (2017-01-13)

[running] com.apple.pbs.plist (2016-09-13)

[loaded] com.apple.personad.plist (2017-01-13)

[loaded] com.apple.photoanalysisd.plist (2017-01-13)

[running] com.apple.photolibraryd.plist (2017-01-13)

[loaded] com.apple.pictd.plist (2016-09-13)

[running] com.apple.pluginkit.pkd.plist (2017-01-13)

[loaded] com.apple.pluginkit.pkreporter.plist (2017-01-13)

[loaded] com.apple.powerchime.plist (2017-01-24)

[loaded] com.apple.printtool.agent.plist (2017-01-13)

[running] com.apple.printuitool.agent.plist (2017-01-13)

[running] com.apple.protectedcloudstorage.protectedcloudkeysyncing.plist (2017-01-13)

[loaded] com.apple.quicklook.32bit.plist (2017-01-24)

[running] com.apple.quicklook.ThumbnailsAgent.plist (2017-01-13)

[loaded] com.apple.quicklook.config.plist (2017-01-13)

[loaded] com.apple.quicklook.plist (2017-01-24)

[loaded] com.apple.quicklook.ui.helper.plist (2017-01-24)

[loaded] com.apple.rcd.plist (2017-01-24)

[running] com.apple.recentsd.plist (2017-01-13)

[running] com.apple.reversetemplated.plist (2017-01-13)

[loaded] com.apple.safaridavclient.plist (2017-01-13)

[running] com.apple.scopedbookmarkagent.xpc.plist (2017-01-13)

[loaded] com.apple.screencapturetb.plist (2017-01-24)

[loaded] com.apple.screensharing.MessagesAgent.plist (2017-01-13)

[loaded] com.apple.screensharing.agent.plist (2017-01-13)

[loaded] com.apple.scrod.plist (2017-01-13)

[running] com.apple.secd.plist (2017-01-13)

[running] com.apple.secinitd.plist (2016-09-13)

[loaded] com.apple.security.DiskUnmountWatcher.plist (2016-09-13)

[loaded] com.apple.security.agent.plist (2017-01-13)

[running] com.apple.security.cloudkeychainproxy3.plist (2017-01-13)

[running] com.apple.security.idskeychainsyncingproxy.plist (2017-01-13)

[loaded] com.apple.security.keychain-circle-notification.plist (2017-01-24)

[running] com.apple.sharingd.plist (2017-01-13)

[running] com.apple.soagent.plist (2017-01-24)

[running] com.apple.softwareupdate_notify_agent.plist (2017-01-13)

[loaded] com.apple.speech.speechdatainstallerd.plist (2017-01-24)

[loaded] com.apple.speech.speechsynthesisd.plist (2017-01-13)

[loaded] com.apple.speech.synthesisserver.plist (2017-01-24)

[running] com.apple.spindump_agent.plist (2017-01-13)

[running] com.apple.spotlight.IndexAgent.plist (2016-09-13)

[running] com.apple.storeaccountd.plist (2017-01-13)

[running] com.apple.storeassetd.plist (2017-01-13)

[running] com.apple.storedownloadd.plist (2017-01-13)

[loaded] com.apple.storeinappd.plist (2017-01-13)

[loaded] com.apple.storeinstallagent.plist (2017-01-13)

[running] com.apple.storelegacy.plist (2017-01-13)

[running] com.apple.storeuid.plist (2017-01-24)

[running] com.apple.suggestd.plist (2017-01-13)

[not loaded] com.apple.sulogoutmonitor.plist (2017-01-13)

[running] com.apple.swcd.plist (2017-01-13)

[running] com.apple.syncdefaultsd.plist (2017-01-13)

[loaded] com.apple.syncservices.SyncServer.plist (2017-01-24)

[loaded] com.apple.syncservices.uihandler.plist (2017-01-24)

[loaded] com.apple.sysdiagnose_agent.plist (2017-01-13)

[loaded] com.apple.systemprofiler.plist (2017-01-24)

[loaded] com.apple.talagent.plist (2017-01-13)

[running] com.apple.tccd.plist (2017-01-13)

[running] com.apple.telephonyutilities.callservicesd.plist (2017-01-13)

[loaded] com.apple.thermaltrap.plist (2017-01-24)

[loaded] com.apple.tiswitcher.plist (2017-01-24)

[loaded] com.apple.touchbar.agent.plist (2017-01-24)

[loaded] com.apple.touristd.plist (2017-01-13)

[running] com.apple.trustd.agent.plist (2017-01-13)

[loaded] com.apple.universalaccessAuthWarn.plist (2017-01-24)

[loaded] com.apple.universalaccessHUD.plist (2017-01-24)

[loaded] com.apple.universalaccesscontrol.plist (2017-01-24)

[loaded] com.apple.universalaccessd.plist (2017-01-13)

[loaded] com.apple.unmountassistant.useragent.plist (2017-01-24)

[running] com.apple.usernoted.plist (2017-01-13)

[loaded] com.apple.warmd_agent.plist (2016-09-13)

[loaded] com.apple.webdriverd.plist (2017-01-13)

[loaded] com.apple.webinspectord.plist (2017-01-13)

[running] com.apple.wifi.WiFiAgent.plist (2017-01-24)

[loaded] com.apple.xpc.loginitemregisterd.plist (2017-01-13)

[loaded] com.apple.xpc.otherbsd.plist (2017-01-13)

[loaded] com.openssh.ssh-agent.plist (2017-01-13)

System Launch Daemons:ⓘ

[not loaded] bootps.plist (2017-01-13)

[running] com.apple.AirPlayXPCHelper.plist (2017-01-13)

[not loaded] com.apple.AppleFileServer.plist (2016-09-13)

[loaded] com.apple.AssetCacheLocatorService.plist (2017-01-13)

[loaded] com.apple.CommCenterRootHelper.plist (2017-01-13)

[running] com.apple.CoreAuthentication.daemon.plist (2017-01-13)

[loaded] com.apple.CoreRAID.plist (2017-01-13)

[running] com.apple.CrashReporterSupportHelper.plist (2017-01-13)

[running] com.apple.CryptoTokenKit.ahp.plist (2017-01-13)

[loaded] com.apple.DataDetectorsSourceAccess.plist (2017-01-13)

[loaded] com.apple.DesktopServicesHelper.plist (2017-01-13)

[running] com.apple.DuetHeuristic-BM-OSX.plist (2017-01-13)

[loaded] com.apple.DumpGPURestart.plist (2017-01-13)

[loaded] com.apple.DumpPanic.plist (2017-01-13)

[running] com.apple.FileCoordination.plist (2017-01-13)

[loaded] com.apple.FontWorker.plist (2017-01-13)

[running] com.apple.GSSCred.plist (2017-01-13)

[loaded] com.apple.GameController.gamecontrollerd.plist (2017-01-13)

[loaded] com.apple.IFCStart.plist (2017-01-13)

[loaded] com.apple.IOAccelMemoryInfoCollector.plist (2017-01-13)

[loaded] com.apple.IOBluetoothUSBDFU.plist (2017-01-13)

[running] com.apple.InstallerDiagnostics.installerdiagd.plist (2017-01-13)

[not loaded] com.apple.InstallerDiagnostics.installerdiagwatcher.plist (2017-01-13)

[loaded] com.apple.InstallerProgress.plist (2017-01-24)

[loaded] com.apple.Kerberos.digest-service.plist (2017-01-13)

[loaded] com.apple.Kerberos.kadmind.plist (2017-01-13)

[loaded] com.apple.Kerberos.kcm.plist (2017-01-13)

[loaded] com.apple.Kerberos.kdc.plist (2017-01-13)

[loaded] com.apple.Kerberos.kpasswdd.plist (2017-01-13)

[running] com.apple.KernelEventAgent.plist (2016-09-13)

[loaded] com.apple.MRTd.plist (2017-01-24)

[loaded] com.apple.ManagedClient.cloudconfigurationd.plist (2017-01-13)

[loaded] com.apple.ManagedClient.enroll.plist (2017-01-24)

[loaded] com.apple.ManagedClient.plist (2017-01-24)

[not loaded] com.apple.ManagedClient.startup.plist (2017-01-24)

[running] com.apple.MobileFileIntegrity.plist (2017-01-13)

[not loaded] com.apple.NetBootClientStatus.plist (2017-01-13)

[loaded] com.apple.NetworkDiagnostics.plist (2017-01-24)

[loaded] com.apple.NetworkLinkConditioner.plist (2017-01-13)

[loaded] com.apple.NetworkSharing.plist (2017-01-13)

[not loaded] com.apple.ODSAgent.plist (2017-01-24)

[loaded] com.apple.PCIELaneConfigTool.plist (2017-01-13)

[not loaded] com.apple.PasswordService.plist (2016-09-13)

[loaded] com.apple.RFBEventHelper.plist (2017-01-13)

[loaded] com.apple.RemoteDesktop.PrivilegeProxy.plist (2017-01-13)

[loaded] com.apple.ReportCrash.Root.plist (2017-01-13)

[loaded] com.apple.ReportPanicService.plist (2017-01-13)

[loaded] com.apple.SCHelper.plist (2017-01-13)

[running] com.apple.SubmitDiagInfo.plist (2017-01-13)

[running] com.apple.TMCacheDelete.plist (2017-01-13)

[loaded] com.apple.TrustEvaluationAgent.system.plist (2017-01-13)

[running] com.apple.UserEventAgent-System.plist (2016-09-13)

[loaded] com.apple.UserNotificationCenter.plist (2017-01-13)

[running] com.apple.WindowServer.plist (2017-01-13)

[running] com.apple.WirelessRadioManagerd-osx.plist (2016-09-13)

[loaded] com.apple.afpfs_afpLoad.plist (2017-01-13)

[loaded] com.apple.afpfs_checkafp.plist (2017-01-24)

[loaded] com.apple.airplaydiagnostics.server.mac.plist (2016-08-04) - /AppleInternal/Applications/AirPlayDiagnostics.app/Contents/Resources/AirPlayDi agnosticsServer: Executable not found!

[loaded] com.apple.airport.wps.plist (2017-01-13)

[running] com.apple.airportd.plist (2017-01-13)

[loaded] com.apple.akd.plist (2017-01-13)

[running] com.apple.alf.agent.plist (2017-01-13)

[loaded] com.apple.appleseed.fbahelperd.plist (2017-01-13)

[loaded] com.apple.applessdstatistics.plist (2017-01-13)

[running] com.apple.apsd.plist (2017-01-13)

[running] com.apple.aslmanager.plist (2017-01-13)

[not loaded] com.apple.atrun.plist (2017-01-13)

[running] com.apple.audio.coreaudiod.plist (2017-01-13)

[running] com.apple.audio.systemsoundserverd.plist (2017-01-13)

[loaded] com.apple.auditd.plist (2016-09-13)

[running] com.apple.autofsd.plist (2017-01-13)

[loaded] com.apple.automountd.plist (2017-01-13)

[loaded] com.apple.avbdeviced.plist (2017-01-13)

[loaded] com.apple.awacsd.plist (2017-01-13)

[running] com.apple.awdd.plist (2017-01-13)

[not loaded] com.apple.backupd-auto.plist (2017-01-13)

[loaded] com.apple.backupd.plist (2017-01-13)

[loaded] com.apple.biokitaggdd.plist (2017-01-13)

[loaded] com.apple.biometrickitd.plist (2017-01-13)

[running] com.apple.blued.plist (2017-01-13)

[loaded] com.apple.bluetoothReporter.plist (2017-01-13)

[loaded] com.apple.bluetoothaudiod.plist (2017-01-13)

[loaded] com.apple.bnepd.plist (2017-01-13)

[loaded] com.apple.bsd.dirhelper.plist (2017-01-13)

[loaded] com.apple.captiveagent.plist (2017-01-13)

[running] com.apple.cfprefsd.xpc.daemon.plist (2017-01-13)

[loaded] com.apple.cloudfamilyrestrictionsd-mac.plist (2017-01-13)

[loaded] com.apple.cmio.AVCAssistant.plist (2017-01-13)

[loaded] com.apple.cmio.AppleCameraAssistant.plist (2017-01-13)

[loaded] com.apple.cmio.IIDCVideoAssistant.plist (2017-01-13)

[running] com.apple.cmio.VDCAssistant.plist (2017-01-13)

[loaded] com.apple.cmio.iOSScreenCaptureAssistant.plist (2017-01-13)

[loaded] com.apple.colorsyncd.plist (2017-01-13)

[not loaded] com.apple.comsat.plist (2016-09-13)

[running] com.apple.configd.plist (2017-01-13)

[loaded] com.apple.configureLocalKDC.plist (2016-07-30) - Shell script!

[loaded] com.apple.corecaptured.plist (2017-01-13)

[running] com.apple.coreduetd.osx.plist (2017-01-13)

[running] com.apple.coreservices.appleevents.plist (2017-01-13)

[loaded] com.apple.coreservices.appleid.passwordcheck.plist (2017-01-13)

[running] com.apple.coreservices.launchservicesd.plist (2017-01-13)

[running] com.apple.coreservices.sharedfilelistd.plist (2017-01-13)

[running] com.apple.coreservicesd.plist (2016-09-13)

[running] com.apple.corestorage.corestoraged.plist (2017-01-13)

[loaded] com.apple.corestorage.corestoragehelperd.plist (2016-09-13)

[running] com.apple.coresymbolicationd.plist (2017-01-13)

[loaded] com.apple.csrutil.report.plist (2017-01-13)

[running] com.apple.ctkd.plist (2017-01-13)

[running] com.apple.cvmsServ.plist (2017-01-13)

[loaded] com.apple.defragx.plist (2017-01-13)

[running] com.apple.diagnosticd.plist (2017-01-13)

[loaded] com.apple.diagnosticextensions.osx.bluetooth.helper.plist (2017-01-13)

[loaded] com.apple.diagnosticextensions.osx.getmobilityinfo.helper.plist (2017-01-13)

[loaded] com.apple.diagnosticextensions.osx.spotlight.helper.plist (2017-01-13)

[loaded] com.apple.diagnosticextensions.osx.timemachine.helper.plist (2017-01-13)

[loaded] com.apple.diagnosticextensions.osx.wifi.helper.plist (2017-01-13)

[running] com.apple.diskarbitrationd.plist (2017-01-13)

[running] com.apple.diskmanagementd.plist (2017-01-13)

[not loaded] com.apple.diskmanagementstartup.plist (2017-01-13)

[running] com.apple.displaypolicyd.plist (2017-01-13)

[running] com.apple.distnoted.xpc.daemon.plist (2017-01-13)

[not loaded] com.apple.dnsextd.plist (2017-01-13)

[loaded] com.apple.dpaudiothru.plist (2016-09-13)

[loaded] com.apple.dpd.plist (2016-09-13)

[running] com.apple.dprivacyd.plist (2017-01-13)

[loaded] com.apple.dspluginhelperd.plist (2017-01-13)

[loaded] com.apple.dvdplayback.setregion.plist (2016-09-13)

[loaded] com.apple.dynamic_pager.plist (2017-01-13)

[loaded] com.apple.dz.dznd.plist (2017-01-13)

[loaded] com.apple.eapolcfg_auth.plist (2017-01-13)

[loaded] com.apple.efilogin-helper.plist (2017-01-13)

[not loaded] com.apple.emlog.plist (2016-07-30) - Shell script!

[loaded] com.apple.emond.aslmanager.plist (2017-01-13)

[loaded] com.apple.emond.plist (2017-01-13)

[loaded] com.apple.eoshostd.plist (2017-01-13)

[not loaded] com.apple.eppc.plist (2017-01-13)

[loaded] com.apple.familycontrols.plist (2017-01-13)

[loaded] com.apple.findmymac.plist (2017-01-13)

[loaded] com.apple.findmymacmessenger.plist (2017-01-24)

[not loaded] com.apple.firmwaresyncd.plist (2017-01-13)

[loaded] com.apple.fontd.plist (2017-01-13)

[loaded] com.apple.fontmover.plist (2017-01-13)

[running] com.apple.fseventsd.plist (2017-01-13)

[not loaded] com.apple.ftp-proxy.plist (2016-09-13)

[not loaded] com.apple.getty.plist (2017-01-13)

[loaded] com.apple.gkreport.plist (2016-08-15) - Shell script!

[loaded] com.apple.gssd.plist (2017-01-13)

[running] com.apple.hdiejectd.plist (2017-01-13)

[running] com.apple.hidd.plist (2017-01-13)

[loaded] com.apple.hidfud.plist (2016-09-13)

[running] com.apple.icloud.findmydeviced.plist (2017-01-13)

[running] com.apple.iconservices.iconservicesagent.plist (2017-01-13)

[running] com.apple.iconservices.iconservicesd.plist (2017-01-13)

[running] com.apple.ifdreader.plist (2017-01-13)

[loaded] com.apple.installandsetup.systemmigrationd.plist (2017-01-13)

[running] com.apple.installd.plist (2017-01-13)

[running] com.apple.ionodecache.plist (2017-01-13)

[not loaded] com.apple.jetsamproperties.Mac.plist (2016-11-07) - Invalid signature!

[loaded] com.apple.kcproxy.plist (2017-01-13)

[not loaded] com.apple.kdumpd.plist (2016-09-13)

[running] com.apple.kextd.plist (2017-01-13)

[loaded] com.apple.kuncd.plist (2017-01-13)

[not loaded] com.apple.locate.plist (2016-07-30) - Shell script!

[running] com.apple.locationd.plist (2017-01-13)

[loaded] com.apple.lockd.plist (2017-01-13)

[running] com.apple.logd.plist (2017-01-13)

[running] com.apple.logind.plist (2016-09-13)

[loaded] com.apple.loginwindow.LFVTracer.plist (2017-01-13)

[running] com.apple.loginwindow.plist (2017-01-24)

[loaded] com.apple.logkextloadsd.plist (2017-01-13)

[running] com.apple.lsd.plist (2017-01-13)

[running] com.apple.mDNSResponder.plist (2017-01-13)

[running] com.apple.mDNSResponderHelper.plist (2017-01-13)

[loaded] com.apple.mbsystemadministration.plist (2017-01-13)

[loaded] com.apple.mbusertrampoline.plist (2017-01-13)

[loaded] com.apple.mdmclient.daemon.plist (2017-01-13)

[not loaded] com.apple.mdmclient.daemon.runatboot.plist (2017-01-13)

[running] com.apple.mediaremoted.plist (2017-01-13)

[running] com.apple.metadata.mds.index.plist (2017-01-13)

[running] com.apple.metadata.mds.plist (2017-01-13)

[loaded] com.apple.metadata.mds.scan.plist (2017-01-13)

[loaded] com.apple.metadata.mds.spindump.plist (2017-01-13)

[loaded] com.apple.mobile.fud.plist (2017-01-13)

[failed] com.apple.mobile.keybagd.plist (2016-08-05) - /usr/libexec/keybagd: Executable not found!

[running] com.apple.mobileassetd.plist (2017-01-13)

[not loaded] com.apple.msrpc.echosvc.plist (2017-01-13)

[loaded] com.apple.msrpc.lsarpc.plist (2017-01-13)

[loaded] com.apple.msrpc.mdssvc.plist (2017-01-13)

[loaded] com.apple.msrpc.netlogon.plist (2017-01-13)

[loaded] com.apple.msrpc.srvsvc.plist (2017-01-13)

[loaded] com.apple.msrpc.wkssvc.plist (2017-01-13)

[loaded] com.apple.mtmd.plist (2017-01-13)

[not loaded] com.apple.mtmfs.plist (2017-01-13)

[loaded] com.apple.mtmhelper.plist (2017-01-13)

[running] com.apple.nehelper.plist (2017-01-13)

[loaded] com.apple.nesessionmanager.plist (2017-01-13)

[loaded] com.apple.netauth.sys.auth.plist (2017-01-24)

[loaded] com.apple.netauth.sys.gui.plist (2017-01-24)

[running] com.apple.netbiosd.plist (2017-01-13)

[loaded] com.apple.newsyslog.plist (2016-09-13)

[loaded] com.apple.nfcd.plist (2017-01-13)

[loaded] com.apple.nfrestore.plist (2017-01-13)

[loaded] com.apple.nfsconf.plist (2017-01-13)

[loaded] com.apple.nfsd.plist (2017-01-13)

[loaded] com.apple.nis.ypbind.plist (2016-09-13)

[running] com.apple.noticeboard.state.plist (2017-01-13)

[running] com.apple.notifyd.plist (2017-01-13)

[running] com.apple.nsurlsessiond.plist (2017-01-13)

[running] com.apple.nsurlstoraged.plist (2017-01-13)

[running] com.apple.ocspd.plist (2017-01-13)

[not loaded] com.apple.odproxyd.plist (2017-01-13)

[running] com.apple.opendirectoryd.plist (2017-01-13)

[loaded] com.apple.periodic-daily.plist (2016-09-13)

[loaded] com.apple.periodic-monthly.plist (2016-09-13)

[loaded] com.apple.periodic-weekly.plist (2016-09-13)

[loaded] com.apple.pfctl.plist (2016-09-13)

[loaded] com.apple.pfd.plist (2016-09-13)

[loaded] com.apple.platform.ptmd.plist (2016-09-13)

[loaded] com.apple.postfix.master.plist (2017-01-13)

[loaded] com.apple.postfix.newaliases.plist (2016-07-30) - Shell script!

[running] com.apple.powerd.plist (2017-01-13)

[loaded] com.apple.powerd.swd.plist (2017-01-13)

[loaded] com.apple.preferences.timezone.admintool.plist (2017-01-13)

[loaded] com.apple.preferences.timezone.auto.plist (2017-01-24)

[loaded] com.apple.printtool.daemon.plist (2017-01-13)

[loaded] com.apple.racoon.plist (2017-01-13)

[loaded] com.apple.remotepairtool.plist (2017-01-13)

[running] com.apple.revisiond.plist (2017-01-13)

[loaded] com.apple.rootless.init.plist (2017-01-13)

[loaded] com.apple.rpcbind.plist (2016-09-13)

[loaded] com.apple.rtcreportingd.plist (2017-01-13)

[running] com.apple.sandboxd.plist (2017-01-13)

[not loaded] com.apple.screensharing.plist (2017-01-13)

[loaded] com.apple.scsid.plist (2016-09-13)

[running] com.apple.secinitd.plist (2016-09-13)

[not loaded] com.apple.security.FDERecoveryAgent.plist (2017-01-13)

[loaded] com.apple.security.agent.login.plist (2017-01-13)

[loaded] com.apple.security.authhost.plist (2017-01-13)

[running] com.apple.security.syspolicy.plist (2017-01-13)

[running] com.apple.securityd.plist (2017-01-13)

[running] com.apple.securityd_service.plist (2017-01-13)

[loaded] com.apple.seld.plist (2017-01-13)

[loaded] com.apple.sessionlogoutd.plist (2017-01-13)

[loaded] com.apple.smb.preferences.plist (2017-01-13)

[not loaded] com.apple.smbd.plist (2017-01-13)

[loaded] com.apple.softwareupdate_download_service.plist (2017-01-13)

[loaded] com.apple.softwareupdate_firstrun_tasks.plist (2017-01-13)

[running] com.apple.softwareupdated.plist (2017-01-13)

[loaded] com.apple.speech.speechsynthesisd.plist (2017-01-13)

[running] com.apple.spindump.plist (2017-01-13)

[loaded] com.apple.startupdiskhelper.plist (2016-09-13)

[loaded] com.apple.statd.notify.plist (2017-01-13)

[loaded] com.apple.storagekitd.plist (2017-01-13)

[loaded] com.apple.storeaccountd.daemon.plist (2017-01-13)

[loaded] com.apple.storeagent.daemon.plist (2017-01-13)

[loaded] com.apple.storeassetd.daemon.plist (2017-01-13)

[loaded] com.apple.storedownloadd.daemon.plist (2017-01-13)

[running] com.apple.storeinstalld.plist (2017-01-13)

[loaded] com.apple.storereceiptinstaller.plist (2017-01-13)

[running] com.apple.suhelperd.plist (2017-01-13)

[running] com.apple.symptomsd.plist (2017-01-13)

[loaded] com.apple.sysdiagnose.plist (2017-01-13)

[running] com.apple.syslogd.plist (2017-01-13)

[running] com.apple.sysmond.plist (2017-01-13)

[running] com.apple.system_installd.plist (2017-01-13)

[loaded] com.apple.systemkeychain.plist (2017-01-13)

[running] com.apple.systemstats.analysis.plist (2017-01-13)

[loaded] com.apple.systemstats.daily.plist (2017-01-13)

[loaded] com.apple.tailspind.plist (2017-01-13)

[loaded] com.apple.taskgated-helper.plist (2017-01-13)

[running] com.apple.taskgated.plist (2017-01-13)

[running] com.apple.tccd.system.plist (2017-01-13)

[running] com.apple.thermald.plist (2017-01-13)

[loaded] com.apple.touchbar.user-device.plist (2017-01-24)

[running] com.apple.trustd.plist (2017-01-13)

[loaded] com.apple.ucupdate.plist (2016-09-13)

[running] com.apple.uninstalld.plist (2017-01-13)

[loaded] com.apple.unmountassistant.sysagent.plist (2017-01-13)

[loaded] com.apple.updateEFIDesktopPicture.plist (2017-01-13)

[running] com.apple.usbd.plist (2017-01-13)

[running] com.apple.usbmuxd.plist (2016-08-01)

[not loaded] com.apple.uucp.plist (2016-09-13)

[loaded] com.apple.var-db-dslocal-backup.plist (2017-01-13)

[loaded] com.apple.vsdbutil.plist (2016-09-13)

[running] com.apple.warmd.plist (2017-01-13)

[running] com.apple.watchdogd.plist (2017-01-13)

[running] com.apple.wdhelper.plist (2017-01-13)

[loaded] com.apple.wifid.plist (2017-01-13)

[running] com.apple.wifivelocityd.plist (2017-01-13)

[running] com.apple.wirelessproxd.plist (2017-01-13)

[loaded] com.apple.wwand.plist (2017-01-13)

[loaded] com.apple.xartstorageremoted.plist (2017-01-13)

[loaded] com.apple.xpc.smd.plist (2017-01-13)

[loaded] com.apple.xpc.uscwoap.plist (2016-09-13)

[not loaded] com.apple.xsan.plist (2017-01-13)

[not loaded] com.apple.xsandaily.plist (2017-01-13)

[not loaded] com.apple.xscertadmin.plist (2016-09-13)

[not loaded] com.apple.xscertd-helper.plist (2016-09-13)

[not loaded] com.apple.xscertd.plist (2016-09-13)

[loaded] com.vix.cron.plist (2016-09-13)

[not loaded] finger.plist (2016-09-13)

[not loaded] ftp.plist (2016-09-13)

[not loaded] ntalk.plist (2016-09-13)

[not loaded] org.apache.httpd.plist (2016-08-08) - Shell script!

[not loaded] org.cups.cups-lpd.plist (2017-01-13)

[loaded] org.cups.cupsd.plist (2017-01-13)

[not loaded] org.net-snmp.snmpd.plist (2016-07-30) - Shell script!

[running] org.ntp.ntpd.plist (2016-07-30) - Shell script!

[not loaded] org.openldap.slapd.plist (2017-01-13)

[not loaded] ssh.plist (2016-07-30) - Shell script!

[not loaded] telnet.plist (2016-09-13)

[not loaded] tftp.plist (2016-09-13)

User Login Items:ⓘ

Wondershare Helper Compact Application

(~/Library/Application Support/Helper/Wondershare Helper Compact.app)

Internet Plug-ins:ⓘ

QuickTime Plugin: 7.7.3 (2017-01-24)

3rd Party Preference Panes:ⓘ

None

Time Machine:ⓘ

Time Machine not configured!

Top Processes by CPU:ⓘ

8% WindowServer

4% fontd

2% com.apple.WebKit.Networking

1% kernel_task

1% Dock

Top Processes by Memory:ⓘ

873 MB kernel_task

393 MB iExplorer

360 MB com.apple.WebKit.WebContent

279 MB WindowServer

164 MB Safari

Virtual Memory Information:ⓘ

11.22 GB Available RAM

6.39 GB Free RAM

4.78 GB Used RAM

4.83 GB Cached files

0 B Swap Used

Diagnostics Information:ⓘ

Jan 24, 2017, 09:31:40 PM Self test - passed

Reply

Answer 4

Drew Reece

Level 6

10,684 points

Jan 27, 2017 4:42 PM in response to Schwigs

Schwigs wrote:

Drew,

Again, thank you very much for the help. I hope you know I take no offense to what you said.

Excellent, that was my intention 🙂

I don't doubt that your experience can make you try to ensure everything is safe, as far as I can tell you don't trust this device and should return/ exchange it if that is at all possible.

The keychain is not intended to be used to codesign apps for that you need an Apple developer account with a certificate & then use the tools in Xcode (or Terminal). I do not believe the Apple root cert is suited to code signing - which is why I am convinced your test is invalid. I'll see if any developers can help clarify.

The codesign manual may help (or add to the complexity & confusion)

'man codesign' in Terminal or…

https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPag es/man1/codesign.1.html

Good luck with it.

Reply

Answer 5

etresoft

Level 9

56,326 points

Feb 6, 2017 12:30 PM in response to Drew Reece

To clarify some things...

In the screen shots posted to start this thread, Schwigs was attempting to evaluate Apple system certificates based on a "code signing" trust policy meant for Apple developers. (See https://developer.apple.com/library/prerelease/content/documentation/Security/Co nceptual/CertKeyTrustProgGuide/Trust.htm…). Perhaps Schwigs was following instructions from this Apple Support Document (see Keychain Access: Determine if a certificate is valid). Unfortunately, that document is incorrect. Certificates and code signing is very complicated, sometimes too complicated for even Apple support itself.

Those "AppleInternal" items in the EtreCheck report are completely normal. All macOS installations have a long list of such leftover internal files and known failures. By default, EtreCheck hides those things and for good reason.

There is no evidence in this thread of any kind of hacking whatsoever, either on this machine or the previous one. I can't comment on any other internet hacking or identity theft issues. Sadly, those are all too common. But digging into the internals of a Mac is the wrong place to be looking.

Reply

Answer 6

Feb 26, 2017 9:09 AM in response to etresoft

This is going over my head right now. Mr. Etresoft guy are you saying that the PacketLogger is a normal term for the PF that's on every Mac (which imho is sadly neglected and relegated to the Terminal)? I second the OPs comment on AppleCare's diminished capacity here. Please look at what recently happened to me: 10.12.3 Combo update failing code sign verification, certificates fail, and mysterious error message from the Mac Store. I've ran the Etresoft before and had similar complaints. I feel like I have some modified OS too as out there as that sounds. I've seen weird things in my Installer Log during restoration. I know that a computer of mine was configured to send something to an IP address in Japan, found a Japanese migration assistant, and I'm afraid to say more.

Look at this Installer Log (errors only) from Recovery Mode. It was dated Sept. 18, 2004 and this was last week:

Sep 17 22:53:29 localhost Unknown[307]: Launching the Language Chooser for an OS Install

Sep 17 22:53:37 localhost configd[112]: bootp_session_transmit: bpf_write(en1) failed: Network is down (50)

Sep 17 22:53:37 localhost configd[112]: DHCP en1: INIT transmit failed

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/CoreServices/Archive Utility.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/CoreServices/Dock.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/CoreServices/Finder.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/CoreServices/Screen Sharing.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/Address Book.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/App Store.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/FaceTime.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/iCal.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/iChat.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/Mail.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/Preview.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/QuickTime Player.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/System Preferences.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/TextEdit.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/iTunes.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/Utilities/Console.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /Applications/Utilities/VoiceOver Utility.app

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/Services/AppleSpell.service

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/Services/OpenSpell.service

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/Services/SpeechService.service

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/Services/Spotlight.service

Sep 17 22:53:38 localhost LCA[308]: Error -10811 retgisting path /System/Library/Image Capture/Support/Image Capture Extension.app

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ->T+[DMToolBootPreference getPartitionBootability:]: inUDS=0x1110efc30=disk1s3=Mac OS X Base System

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootable=1 (bootable right now without any further action)

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootCapable=0 (bootable if you call MKCFPrepareBootDevice)

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootSurgeryRequired=0 (for primitive MBR on BIOS, add boot block and loader)

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMFSSurgeryRequired=0 (for primitive MBR on BIOS, add boot block and loader)

Sep 17 22:53:39 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMNewfsRequired=1 (bootable with MKCFPrep but it will rudely carve)

Sep 17 22:53:39 localhost diskmanagementd[329]: DM <-T+[DMToolBootPreference getPartitionBootability:]: MKerr=0 out=12=0xc

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ->T+[DMToolBootPreference getPartitionBootability:]: inUDS=0x1110efc30=disk1s3=Mac OS X Base System

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootable=1 (bootable right now without any further action)

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootCapable=0 (bootable if you call MKCFPrepareBootDevice)

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMBootSurgeryRequired=0 (for primitive MBR on BIOS, add boot block and loader)

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMFSSurgeryRequired=0 (for primitive MBR on BIOS, add boot block and loader)

Sep 17 22:53:45 localhost diskmanagementd[329]: DM ..T+[DMToolBootPreference getPartitionBootability:]: PMNewfsRequired=1 (bootable with MKCFPrep but it will rudely carve)

Sep 17 22:53:45 localhost diskmanagementd[329]: DM <-T+[DMToolBootPreference getPartitionBootability:]: MKerr=0 out=12=0xc

Sep 17 22:53:45 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 17 22:58:32 localhost LCA[308]: Launching the Springboard using language code "English"

Sep 17 22:58:34 localhost Unknown[309]: Keyboard Layouts: duplicate keyboard layout identifier -16899.

Sep 17 22:58:34 localhost Unknown[309]: Keyboard Layouts: keyboard layout identifier -16899 has been replaced with -28673.

Sep 17 22:58:34 localhost Unknown[309]: Keyboard Layouts: duplicate keyboard layout identifier -16900.

Sep 17 22:58:34 localhost Unknown[309]: Keyboard Layouts: keyboard layout identifier -16900 has been replaced with -28674.

Sep 17 22:58:43 localhost Unknown[309]: 2004-09-17 22:58:43.103 Safari[546:9f03] WARNING: BookmarkedFeedsManager couldn't get PSClient!

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1 - Client: webfilterproxyd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1 - ODNodeCreateWithName request, SessionID: 00000000-0000-0000-0000-000000000000, Name: /Local/Default

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1 - loading configuration for '/Local' from '/System/Library/OpenDirectory/Configurations/Local.plist'

Sep 17 23:00:22 localhost opendirectoryd[101]: Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1 - unable to find authentication module 'ConfigurationProfiles'

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1 - unable to find service discovery callback for module 'PlistFile'

Sep 17 23:00:22 localhost opendirectoryd[101]: Registering for network changes

Sep 17 23:00:22 localhost opendirectoryd[101]: Registered subnode with name '/Local/Default'

Sep 17 23:00:22 localhost opendirectoryd[101]: failed to open local node for internal record copy

Sep 17 23:00:22 localhost opendirectoryd[101]: Registering for power changes

Sep 17 23:00:22 localhost opendirectoryd[101]: Registering for network power changes

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1, Node: /Local/Default - node assigned UUID - E4968901-0192-4790-A0A9-15704A3BE171

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.1, Node: /Local/Default - ODNodeCreateWithName completed

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.2 - Client: webfilterproxyd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.2 - ODQueryCreateWithNode request, NodeID: E4968901-0192-4790-A0A9-15704A3BE171, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:UniqueID, MatchType: EqualTo, Equality: Number, Value(s): 0, Requested Attributes: dsAttributesAll, Max Results: 2147483647

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.2, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed, delivered 1 result

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.3 - Client: webfilterproxyd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.3 - ODQueryCreateWithNode request, NodeID: E4968901-0192-4790-A0A9-15704A3BE171, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): root, Requested Attributes: dsAttributesAll, Max Results: 1

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.3, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed, delivered 1 result

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.4 - Client: webfilterproxyd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.4 - ODQueryCreateWithNode request, NodeID: E4968901-0192-4790-A0A9-15704A3BE171, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): root, Requested Attributes: dsAttrTypeStandard:GeneratedUID,dsAttrTypeNative:_writers_LinkedIdentity,dsAttr TypeStandard:RealName,dsAttrTypeNative:_writers_realname,dsAttrTypeNative:Linked Identity,dsAttrTypeStandard:Picture,dsAttrTypeNative:_writers_UserCertificate,ds AttrTypeStandard:Password,dsAttrTypeStandard:CopyTimestamp,dsAttrTypeStandard:Ap pleMetaNodeLocation,dsAttrTypeStandard:RecordType,dsAttrTypeStandard:PrimaryGrou pID,dsAttrTypeStandard:AuthenticationAuthority,dsAttrTypeNative:_writers_hint,ds AttrTypeNative:_shadow_passwd,dsAttrTypeNative:_defaultLanguage,dsAttrTypeStanda rd:MCXSettings,dsAttrTypeStandard:JPEGPhoto,dsAttrTypeNative:_writers_passwd,dsA ttrTypeStandard:RecordName,dsAttrTypeStandard:AuthenticationHint,dsAttrTypeNativ e:_writers_picture,dsAttrTypeNative:_writers__defaultLanguage,dsAttrTypeNative:e xternal,dsAttrTypeNative:_guest,dsAttrTypeStandard:HomeDirectory,dsAttrTypeStand ard:UserShell,dsAttrTypeNative:_writers_jpegphoto,dsAttrTypeStandard:UniqueID,ds AttrTypeStandard:AppleMetaRecordName,dsAttrTypeStandard:NFSHomeDirectory, Max Results: 1

Sep 17 23:00:22 localhost opendirectoryd[101]: 616.4, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed, delivered 1 result

Sep 17 23:01:04 localhost opendirectoryd[101]: Processing a network change notification

Sep 17 23:20:36 localhost Unknown[309]: 2004-09-17 23:20:36.458 Safari[1428:9f03] WARNING: BookmarkedFeedsManager couldn't get PSClient!

Sep 17 23:20:36 localhost Unknown[309]: 2004-09-17 23:20:36.983 WebProcess[1429:2e03] Failed to communicate with qtkitserver: Connection invalid

Sep 17 23:20:36 localhost Unknown[309]: 2004-09-17 23:20:36.983 WebProcess[1429:2e03] Failed to initializeServer(), returned 5

Sep 17 23:36:34 localhost opendirectoryd[101]: Received power notification - disabling network activity

Sep 17 23:56:17 localhost opendirectoryd[101]: Received power notification - enabling network activity

Sep 17 23:56:18 localhost opendirectoryd[101]: Received power notification (system has powered on)

Sep 17 23:56:26 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 17 23:56:30 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 00:07:56 localhost opendirectoryd[101]: Received power notification - disabling network activity

Sep 18 03:46:25 localhost opendirectoryd[101]: Received power notification - enabling network activity

Sep 18 03:46:25 localhost opendirectoryd[101]: Received power notification (system has powered on)

Sep 18 03:46:27 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 03:46:33 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 18 03:46:37 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 03:47:07 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 03:57:14 localhost Unknown[309]: 2004-09-18 03:57 Disk Utility[1435] (CarbonCore.framework) FSEventStreamStart: ERROR: FSEvents_connect() => Unknown service name (1102)

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.5 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.5 - ODNodeCreateWithName request, SessionID: 00000000-0000-0000-0000-000000000000, Name: /Local/Default

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.5, Node: /Local/Default - node assigned UUID - 566E251B-0D5D-4809-9B14-2AA29283473F

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.5, Node: /Local/Default - ODNodeCreateWithName completed

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.6 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.6 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseExact, Value(s): SharePoints, Requested Attributes: dsAttributesAll, Max Results: 1

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.6, Node: /Local/Default, Module: PlistFile - client is using a native record type 'config' which is not portable

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.6, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.7 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.7 - ODNodeCreateRecord request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType: dsRecTypeNative:config, RecordName: SharePoints, Attributes: <none>

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.7, Node: /Local/Default, Module: PlistFile - client is using a native record type 'config' which is not portable

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.7, Node: /Local/Default, Module: PlistFile - ODNodeCreateRecord completed, delivered 1 result

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.8 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.8 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.8, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.8, Node: /Local/Default, Module: PlistFile - flushing record '/private/var/db/dslocal/nodes/Default/config/SharePoints'

Sep 18 03:57:14 localhost opendirectoryd[101]: Module: PlistFile - ___index_record_block_invoke_1: sqlite3_prepare_v2: 21

Sep 18 03:57:14 localhost opendirectoryd[101]: 310.8, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 03:57:14 localhost Unknown[309]: 2004-09-18 03:57:14.313 Disk Utility[1435:a003] NSSoftLinking - The iLifeMediaBrowser framework's library couldn't be loaded from (null).

Sep 18 03:57:46 localhost Unknown[309]: 2004-09-18 03:57:46.010 Disk Utility[1435:a003] NSSoftLinking - The iLifeMediaBrowser framework's library couldn't be loaded from (null).

Sep 18 03:58:06 localhost Unknown[309]: 2004-09-18 03:58:06.418 Disk Utility[1435:a003] NSSoftLinking - The iLifeMediaBrowser framework's library couldn't be loaded from (null).

Sep 18 03:59:57 localhost opendirectoryd[101]: 310.9 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 03:59:57 localhost opendirectoryd[101]: 310.9 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 03:59:57 localhost opendirectoryd[101]: 310.9, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 03:59:57 localhost opendirectoryd[101]: 310.9, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:00:17 localhost opendirectoryd[101]: 310.10 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:00:17 localhost opendirectoryd[101]: 310.10 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:00:17 localhost opendirectoryd[101]: 310.10, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:00:17 localhost opendirectoryd[101]: 310.10, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:00:20 localhost opendirectoryd[101]: 310.11 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:00:20 localhost opendirectoryd[101]: 310.11 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:00:20 localhost opendirectoryd[101]: 310.11, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:00:20 localhost opendirectoryd[101]: 310.11, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:01:00 localhost opendirectoryd[101]: 310.12 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:01:00 localhost opendirectoryd[101]: 310.12 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:01:00 localhost opendirectoryd[101]: 310.12, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:01:00 localhost opendirectoryd[101]: 310.12, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:01:09 localhost Unknown[309]: 2004-09-18 04:01:09.161 Disk Utility[1435:a003] NSSoftLinking - The iLifeMediaBrowser framework's library couldn't be loaded from (null).

Sep 18 04:04:50 localhost opendirectoryd[101]: 310.13 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:04:50 localhost opendirectoryd[101]: 310.13 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:04:50 localhost opendirectoryd[101]: 310.13, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:04:50 localhost opendirectoryd[101]: 310.13, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:05:09 localhost diskmanagementd[1436]: DM ->T-[DMToolBootPreference buildBootCachesForDisk:forcing:]: inDiskUDS=0x7febd344f4a8=disk0s2=Computer inForce=1

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.14 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.14 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.14, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.14, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:05:10 localhost diskmanagementd[1436]: DM ..T-[DMToolBootPreference buildBootCachesForDisk:forcing:]: launching and blocking /usr/sbin/kextcache (

"-f",

"-u",

"/Volumes/Computer"

)

Sep 18 04:05:10 localhost diskmanagementd[1436]: DM ..T-[DMToolBootPreference buildBootCachesForDisk:forcing:]: kextcache exit status=0

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.15 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.15 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.15, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:05:10 localhost diskmanagementd[1436]: DM <-T-[DMToolBootPreference buildBootCachesForDisk:forcing:]: 1

Sep 18 04:05:10 localhost opendirectoryd[101]: 310.15, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:05:11 localhost opendirectoryd[101]: 310.16 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:05:11 localhost opendirectoryd[101]: 310.16 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:05:11 localhost opendirectoryd[101]: 310.16, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:05:11 localhost opendirectoryd[101]: 310.16, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:06:00 localhost opendirectoryd[101]: 310.17 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:06:00 localhost opendirectoryd[101]: 310.17 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:06:00 localhost opendirectoryd[101]: 310.17, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:06:00 localhost opendirectoryd[101]: 310.17, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:06:10 localhost opendirectoryd[101]: 310.18 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 04:06:10 localhost opendirectoryd[101]: 310.18 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 04:06:10 localhost opendirectoryd[101]: 310.18, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 04:06:10 localhost opendirectoryd[101]: 310.18, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Sep 18 04:06:12 localhost Unknown[309]:

Sep 18 04:19:51 localhost opendirectoryd[101]: Received power notification - disabling network activity

Sep 18 08:13:17 localhost opendirectoryd[101]: Received power notification - enabling network activity

Sep 18 08:13:17 localhost opendirectoryd[101]: Received power notification (system has powered on)

Sep 18 08:13:23 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 18 08:13:27 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 08:23:36 localhost opendirectoryd[101]: Received power notification - disabling network activity

Sep 18 08:43:21 localhost opendirectoryd[101]: Received power notification - enabling network activity

Sep 18 08:43:21 localhost opendirectoryd[101]: Received power notification (system has powered on)

Sep 18 08:43:21 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 18 08:43:27 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 08:43:34 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 08:43:35 localhost configd[112]: subnet_route_if_index: can't get interface name

Sep 18 08:43:39 localhost opendirectoryd[101]: Processing a network change notification

Sep 18 08:45:03 localhost Unknown[309]: 2004-09-18 08:45 Mac OS X Utilities[534] (CarbonCore.framework) FSEventStreamStart: ERROR: FSEvents_connect() => Unknown service name (1102)

Sep 18 08:45:03 localhost opendirectoryd[101]: 310.19 - Client: coreservicesd, UID: 0, EUID: 0, GID: 0, EGID: 0

Sep 18 08:45:03 localhost opendirectoryd[101]: 310.19 - ODQueryCreateWithNode request, NodeID: 566E251B-0D5D-4809-9B14-2AA29283473F, RecordType(s): dsRecTypeNative:config/SharePoints, Attribute: dsAttrTypeStandard:RecordName, MatchType: Any, Equality: CaseExact, Value(s): dsRecordsAll, Requested Attributes: dsAttrTypeNative:ftp_guestaccess,dsAttrTypeNative:smb_name,dsAttrTypeNative:sha repoint_account_uuid,dsAttrTypeNative:smb_createmask,dsAttrTypeNative:sharepoint _version,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeNative:afp_guestacce ss,dsAttrTypeNative:afp_shared,dsAttrTypeStandard:RecordType,dsAttrTypeNative:ft p_shared,dsAttrTypeNative:afp_name,dsAttrTypeNative:smb_oplocks,dsAttrTypeNative :afp_use_parent_owner,dsAttrTypeNative:smb_directorymask,dsAttrTypeStandard:Reco rdName,dsAttrTypeNative:afp_use_parent_privs,dsAttrTypeNative:smb_guestaccess,ds AttrTypeNative:smb_inherit_permissions,dsAttrTypeStandard:AppleMetaRecordName,ds AttrTypeNative:smb_shared,dsAttrTypeNative:directory_path,dsAttrTypeNative:smb_s trictlocking,dsAttrTypeNative:sharepoint_group_id,dsAttrTypeNative:ftp_name, Max Results: 2147483647

Sep 18 08:45:03 localhost opendirectoryd[101]: 310.19, Node: /Local/Default, Module: PlistFile - client is using an old record type 'dsRecTypeNative:config/SharePoints' should be using kODRecordTypeSharePoints

Sep 18 08:45:03 localhost opendirectoryd[101]: 310.19, Node: /Local/Default, Module: PlistFile - ODQueryCreateWithNode completed

Reply

Answer 7

Drew Reece

Level 6

10,684 points

Jan 27, 2017 10:59 AM in response to Schwigs

When you verify the cert please select 'generic' & do not select 'Code signing' it should be the first option screen.

I don't believe that message is a problem - the cert is valid (that means all the way back to the root). It looks to me that the cert is not intended for code signing, so that will always produce incorrect results.

Hopefully someone else will be able to verify my hypothesis either for or against.

As for the report - the missing 'AppleInternal' items trouble me. Did you install those items? They may be Apple test tools? Did you clean install this OS? e.g. erase the disk first.

There seems to be more system jobs listed than I'd normally expect, disabling the filtering option sure creates a lot of info :)

If you are not sure what the store did you should backup, erase & reinstall. It is the best & only way I know to be sure that the Mac is not compromised. I reread your post but I can't see if you explicitly erased the disk or just took whatever the store gave you. I suspect the 'AppleInternal' items are left over from their tests - e.g. not a clean OS.

You can restore your user data if you like but obviously that can bring over compromised data.

I don't see signs of a compromise, however you seem convinced something is wrong, so best practice is to start over IMO.

Reply

Answer 8

Schwigs Author

Level 3

759 points

Jan 27, 2017 11:19 AM in response to Drew Reece

Drew, thank you again for the thorough reply. The troubling thing here to me is that this is literally a brand-new machine, right out of the box. I mean, other than turn I'll vault in the far wall on I have done nothing to it whatsoever when I checked the keychain and ran the etre report.

I know I sound like a paranoid maniac, but when Apple sends your old machine back from California with only the message "contact government authorities" after weeks prior of going back and forth to the Apple Store, getting bios unlocked, having seven pass erase done, etc and considering the damage that was done to me in the hack - well, it all just spooks me. What I believe happened back then - and was confirmed by a good friend who is an sysadmin VP at a large insurance company is that when I got hacked, somehow they overlayed a "fake OS" on top of the original OS. Too much to explain here but if you saw the directory structures and such you'd get it immediately. It seems they found an exploit in the EFI and essentially once it was corrupted, the whole machine was finished.

A couple more things worth noting. If I run disk find (df command in bash terminal) on new machine then it literally comes up with the physical drive, efi and regular drive plus recovery drive as you'd expect but then there are also 17 other disks. When I use single user mode and go searching through my directories it just seems that things are really out of order. And in disk utility, the "OS X base system" disk image just looks really strange (which is where the 17 disks are coming from).

Idk, maybe I'm a paranoid *******, but we did find that someone put a packet sniffer somewhere near my property when I got hacked. It was attached to my wifi (which has since been disposed of, only use USB tethering now), but I've wondered if it was Bluetooth or NFC capable as well. All you'd have to do is hook it to a cell phone and power supply and poof, you can hack me all day with the right tools. Probably TMI but I went through a really nasty divorce and former FIL is a retired IBM exec, so finding the resources wouldn't be tough.

But I digress. The certificates not being found in the root is perhaps most troubling because it makes me wonder again - has someone overplayed another OS on top of the original OS and what I see as the root isn't really the root? Again, I've made NO modifications to any of my devices, so this really spooks me. I have nothing to hide, but I REALLT don't want to go through another round of identity theft lock down.

So, here's what I'm thinking -- maybe take the machine back to Best Buy and exchange for new one. Power off my iPhone (who knows, it could be the source of the problem though I have a new one on a new account with a new number like I said and it never "touched" any of the dirty hardware) just in case, setup the machine in the parking lot and see what happens?

Last question before I do that - is there any way to verify root certs directly with Apple via an SSL connection or something like that? I mean, all of mine match up with what's on their list for Sierra, but if they're in the wrong "place", then that seems screwy. Also, if you know how to reflash original firmware before reinstalling Sierra then I'd give that a try too.

Again, thanks for your help, Drew. It's seemed like no one, even higher-ups at Apple have been concerned about my previous issues, so I appreciate your analysis and lending an ear. I'm out right now for the day but will get back on the machine tonight and see if I can dig out anything else odd from it and will throw you some screen grabs of the df list and such I mentioned. REALLY appreciate you, man.

-Andrew

Reply

Answer 9

Schwigs Author

Level 3

759 points

Jan 27, 2017 3:09 PM in response to Drew Reece

Drew,

Again, thank you very much for the help. I hope you know I take no offense to what you said. I do understand the difference between BIOS and EFI, my problem is that I know enough to be dangerous but not enough to fully understand many things.

My main pain point is that when the initial attack happened, no one had answers for me and the number of variables involved is such that it's likely be impossible to find them anyways. So, I'm way past trying to figure out why I was targeted before, but suffice it to say, full on identity theft is scary as ****. Had to freeze credit, was getting calls from banks about apps I never submitted, found this crazy custom SAML password stealing app in my G-Suite admin panel for my business, domain name was stolen, spent days on the phone with Google trying to retrieve it.... I could go on and on, but when your whole business and personal digital existence gets wiped and you have to do things a like use two forms of identification and a verbal password to handle money inside banks, well, it's just leaves you REALLY paranoid.

Perhaps the biggest issue though is that no one had ever even heard of something happening, to me like what did at that level (I've probably given a tenth of the detail, serious) and of course no one had answer. I mean, the senior engineers even who I was allowed to speak to were even dumbfounded and that's just totally freaky. But, like I said, I gotta let it go.

Now, I don't understand why Apple would provide its users the ability to use a code signing app that doesn't trust its own root certs, but whatever. I can let that go as I've had to learn to with many things over the last few months. I just simply don't want a repeat because dealing with the attack that was perpetrated on me was **** near a full time job for a month.

So, I'm going to follow your advice and take the new machine back and exchange it for a new one tomorrow, unbox it and take a look at things. From there, I will just have to trust, I suppose. Don't think I have any other choice at this point.

Listen, I GREATLY appreciate you engaging me on this question. Perhaps I am my own worst enemy and that's the issue. But, I think if I take a new machine out of the box at the store and it compare the same to there's then by logic that should be more than enough for me.

Thanks again, Drew. I'll update you after the exchange. Again, your conversation has been immensely appreciated!

-Schwig

Reply

Answer 10

Drew Reece

Level 6

10,684 points

Jan 29, 2017 1:49 PM in response to Drew Reece

Drew Reece wrote:

I'll see if any developers can help clarify.

I asked for help in the 'water cooler' (a forum for level 6 users & above), 2 experienced users replied with mocking, no one else appeared.

You'll need to look elsewhere for help, clearly this site is full of users who are unwilling to explain or offer help on your topic. Good luck, D.

Reply

Answer 11

Schwigs Author

Level 3

759 points

Jan 29, 2017 3:42 PM in response to Drew Reece

Drew,

Again, VERY much appreciated, especially for the extra effort. I'm sorry you got mocked, haha, but that makes me feel better that it's undoubtedly nothing to worry about. Still gonna exchange the machine - bought a new mid-2015 MBP Retina 15.4 that was essentially the same as my ruined mid-2012 model, but I think I'm gonna get one of the new 13" models. Gf has one and I like it better even despite the smaller screen. Still gonna take the clandestine unboxing measure for peace of mind.

But, speaking of peace of mind, that's really all I'm seeking these days after what I went through and you've really helped me achieve more of it. I think you're right that I'm just now questioning everything. If I told you the WHOLE story of the hack you'd probably understand more as to why - it was some serious next-level **** - but, what's in the past is in the past and I gotta learn to leave it there.

Again, man, you are GREATLY appreciated! Hope I can return the favor somehow one day.

-AS

Reply

Answer 12

rccharles

Level 6

13,037 points

Feb 5, 2017 11:19 AM in response to Schwigs

I recommend that you get a littlesnitch. littlesnitch will track your Web traffic and tell you which applications are sending data from your computer. Be sure to run it awhile because it will trigger a number of alerts. In trail mode, it will run for three hours per boot for a about a month.

http://www.obdev.at/products/littlesnitch/index.html

I've read it's not perfect, but what is.

R

Reply

Answer 13

etresoft

Level 9

56,326 points

Feb 26, 2017 10:26 AM in response to ChaseDaniel

ChaseDaniel wrote:

This is going over my head right now. Mr. Etresoft guy are you saying that the PacketLogger is a normal term for the PF that's on every Mac (which imho is sadly neglected and relegated to the Terminal)?

Hello ChaseDaniel,

No. The PacketLogger mentioned above has nothing to do with the PF (Packet Filter). It is only shown to begin with because the original poster enabled EtreCheck's "show everything" mode. One of the reasons behind the existence of that "show everything" mode is to try to discourage people from digging into log files and jumping to conclusions. Everything mentioned in this thread is 100% normal.

Reply

Answer 14

Drew Reece

Level 6

10,684 points

Feb 26, 2017 11:02 AM in response to ChaseDaniel

Can you tell us what we are supposed to see in that 200 lines of log output?

I have no idea if it normal or not but if you are convinced you have a modified OS you should redownload it, erase the Mac & reinstall. That is probably an over reaction but that is normally what happens when people read log files & assume the worst.

You need to compare your OS to a 'known good' one & tell us specifically what is different or wrong, you can't just poke & prod at it looking for clues. That is a rabbit hole.

ChaseDaniel wrote:

I know that a computer of mine was configured to send something to an IP address in Japan, found a Japanese migration assistant, and I'm afraid to say more.

You know that Japanese people use OS X/ macOS? There is a Japanese localisation of very piece of Apple UI, Apple sell Macs to almost every country on the planet!

The Japanese IP address is evidence of what exactly?

Reply

Answer 15

Mar 25, 2017 10:33 AM in response to Schwigs

Fgf

Reply