it started with identity fraud of our family's bank accounts

To condense this down to where I see actual issues:

This is related to the Adobe installer, Flash or any PC translating software that you may or may not have intentionally agreed to…it allows another user to enter your Mac as a root user (Persistent) and execute false certificates,…

The real Adobe Flash player will never, ever do such a thing. I would have to presume you, or someone else in your household fell for the prolific scam on the web of a rogue site claiming you need to download and install a Flash update (or a Java update, or a video codec) to view or use their site. Without fail, literally 100% of the time, such installers directly from an unknown web site is malware, and not what they say it is. The real Adobe Flash Player is available from one, and one place only - Adobe. Java (the latest version), only from Oracle. For Mac Java apps that require the older Java 6, only from Apple.

Once reformatting occurs (again), the default file system installed is identical to the one above - complete with Keychain and MDNS service plists that redirect all installs to a configuration allowing foreign IP addresses and users to authenticate as root and conduct activities on the primary user's account (you) even when your computer and wifi are offline or shut down.

If you installed nothing else after reinstalling the Mac OS on an erased drive, and did not restore any type of backup, that is impossible. This appears to be your real problem.

our home ATT router is regularly redirected to outside IP addresses correlated to IP addresses used to move data from home computers. Apple refuses to acknowledge what may be a massive hack of personal data from all devices.

It's your router that's been hacked, not your Mac. Notice that the problem affects all devices using the Internet.

Unplug the Internet connection from the router so no one can see what you're doing. Before bothering with any of the rest of the following, if this is an old router (like more than 8-10 years old), start by throwing it away and get a new one. If not, continue. Though even if you do get a new router, some of the following applies. Particularly admin password entry to the router's settings, and remote access.

Reset the router. Typically, this involves holding in a small recessed button for 5 seconds or so. Check your manual for the specifics. This puts all settings on the router back to factory defaults.

For a very long time, router manufacturers used simple admin entry, such as "admin" for the user name, and blank for the password. Or, reversed as no admin user name and "admin" as the password. This makes it incredibly easy for anyone within range of your router to break into it. All they have to do is cruise the neighborhood, type 192.168.0.1 into their laptop's web browser, and wait for a router to respond. Then try the various easy default admin/password to see if they can get in. Once in, it doesn't matter how complex your wi-fi password is, they can see it, copy it, and then use it to login to your network.

First thing to do is make sure no one can see what you're changing. So don't just unplug the router's Internet cable, but go into the router's wireless settings and disable all wireless broadcasting. Anyone who may be illegally sharing your bandwidth will now be cut off.

Next is to make your admin access to the router's settings difficult for anyone but you to get past. If it doesn't already have a complex password, give it one. DO NOT use simple things like applepie, password, 1234. It needs to be something that can't be easily guessed. Such as Rby4UV9eFe19u4zA. Make a note of this somewhere so you don't forget it. It you do, you'll have to do a reset on the router again to get back into it.

Since someone may already know your wireless passwords, change those to something equally complex as you did for the admin password. You'll need to update your devices later to login with the new passwords you create. Make sure wireless security is WPA2. If this is not an available option, throw the router away immediately and replace it. Do not choose a setting such as WPA2/WPA/WEP, where all three are used at once. WEP can be hacked in less than a minute with the right tools. It's totally useless. If you have any device that cannot connect to WPA2, turn WPA on. If it can't access that either, replace the device. Never use WEP - ever.

Lastly, look for any remote access settings and turn them off. There is no need for these to be on for just about any typical user, and is how crooks get into routers remotely. Once in, they can create all the redirects they want.

Now, with all settings and passwords changed, turn wi-fi back on. Only you should know how to reconnect to your router, no one should be able to easily get in through the admin page, and remote access will be disabled.

Entirely possible. But kind of difficult to get. At least in the U.S. since it's currently targeting European users. You still have to get an email with the malware .zip attachment. Then you have to run it. Then you have to be silly enough to click the Update All button to actually infect your Mac.

Not sure how the author of piece missed the obvious way to shut the process down - Force Quit. He or she wrote:

The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing.

"In any way"? So this person is saying I can't even unplug the computer and kill power to it? Not that it's necessary to be that drastic. There are at least a few ways out of the installation. None of them difficult.

Being a signed app, it won't be long before Apple pulls the credentials and permanently blocks the malware. They're fast when it comes to real threats.

More on this here.

[...]

Anti-virus protection is now starting to detect it, but removal is likely to be a tougher proposition: Malwarebytes’ Anti-Malware should now detect it reliably, and other products should follow. It appears unlikely that the recent update to Apple’s MRT provides any protection from OSX/Dok. Apple has today revoked the developer certificate used to sign the installer Dokument.app, so that should be blocked by Gatekeeper.

[...]

Can you supply some facts to back up your claims. Things like the following (all from Terminal):

set

ls -lae@0 /var/log

ls -lae@0 /

The first command will tell us what your path and other shell variables are. The second and third will show us what the contents are of your /var/log and / folder are. How are you determining that your files are being shipped to servers in foreign countries.

Please provide some details so we know you're not just pulling our leg.

Good luck...

1. Is English your first language?
You use words, but it the syntax is very strange...

2. You've listed many highly technical and troubleshooting methods which should imply that you know what to do if you screw up and accidentally install a virus.

3. Why wasn't your first instinct to backup/wipe your computer and start over fresh on a known safe internet connection?

4. Where is the proof of all of your claims?

If you have such evidence of data exfiltration, why did you not just unplug everything and reference step three above?

5. Where are your backups?
If you loose data due to a malicious program or disk failure, that's your fault, not Apple's.

6. I've seen posts like this before where it's the NSA or other 3-letter international government spy agency has hacked everything in that person's house making it a living nightmare. However, some of what you said makes you sound insane, the other half of what is listed is impossible, impractical, or only works in the movies.

The uppercase O lists the "flags" associated with a file (not all files have "flags" and if they don't they will simply show a "-" in the ls listing -- look close and you will see a difference), the lowercase o lists a "long" format without the group id (read the man page). These are not the same thing. For example:

MacBook:CoreServices xxx$ pwd

/System/Library/CoreServices

Bobs-10p14-yyy-MacBook:CoreServices bobf$ ls -lae@o | head

total 3472

drwxr-xr-x 160 root 5440 Apr 29 13:23 .

drwxr-xr-x 92 root 3128 Apr 12 19:38 ..

-rw-r--r--@ 1 root 653 Apr 12 17:33 .disk_label

com.apple.FinderInfo 32

-rw-r--r--@ 1 root 2621 Apr 12 17:33 .disk_label_2x

com.apple.FinderInfo 32

drwxr-xr-x 3 root 102 Jan 18 19:10 AOS.bundle

drwxr-xr-x 3 root 102 Feb 14 19:38 AVB Audio Configuration.app

drwxr-xr-x 3 root 102 Feb 6 18:56 AddPrinter.app

MacBook:CoreServices xxx$ ls -lae@O | head

total 3472

drwxr-xr-x 160 root wheel restricted 5440 Apr 29 13:23 .

drwxr-xr-x 92 root wheel restricted 3128 Apr 12 19:38 ..

-rw-r--r--@ 1 root wheel restricted,hidden 653 Apr 12 17:33 .disk_label

com.apple.FinderInfo 32

-rw-r--r--@ 1 root wheel restricted,hidden 2621 Apr 12 17:33 .disk_label_2x

com.apple.FinderInfo 32

drwxr-xr-x 3 root wheel restricted 102 Jan 18 19:10 AOS.bundle

drwxr-xr-x 3 root wheel restricted 102 Feb 14 19:38 AVB Audio Configuration.app

drwxr-xr-x 3 root wheel restricted 102 Feb 6 18:56 AddPrinter.app

You must have been watching a James Bond movie last night 😉

I hope the OP does give some facts to back up his system's current state, but lack of a response only makes me think that his situation is not as serious as he seems to think it is, or at least the real causes of what they are seeing is not what they think it is.

Time will tell...

No problem - appreciate you pointing out the 0 vs O - hard to see on the font for these web pages, and it's always good to document incorrect statements in these threads. Would really be nice if you could go back later and edit your comments, but you only have 15 minutes to do that (I think it's 15 minutes anyway). After that the only thing to do is either correct your posting with another posting or have someone else point it out if you don't notice.

I'm like you, in that I learn all kinds of stuff on these discussion forums that I can use on my own computer. Really is the best sort of learning when you learn by seeing others perspectives and points of view - hard to be perfectly objective about yourself so input from others is always welcome. Sometimes, you may not agree, but that doesn't make what others say invalid - just a different take on any given situation.

Good luck...

Just to reiterate... What Kurt Said is 100% correct.

KiltedTim wrote:

Just to reiterate... What Kurt Said is 100% correct.

Could it be related to this? 😕

There's a typo in the second and third commands. The 0 (zero) should be the letter o.

Thanks for noticing - but it should be an upper case O (as in Oscar), not lower case o, to see the flags attributes. So the commands should be:

ls -lae@O /var/log

ls -lae@O /

Good luck...

Thank you. I'm learning. I appreciate opportunities.

BTW -- a capital or lower case letter *o* produces the same results.

Could be the work of Smersh.