Question: Very skilled hack
Specs Imac mini. Current OS Sierra. Started as Mavericks, machine was purchased right before Yosimite came out. Eventually upgraded to Yosimite and then recently to Sierra.
I first tried the Google app, but it couldn't see my phone. So I installed an app from the Apple store to let me talk to a new Android phone I just purchased. That failed also. I gave up, just easier to move the files from a Google drive at this point. This clobbered my keychain right off the bat. I wound up having to change my password, delete the old keychain and create a new one as a result. Initially I thought that recreating the key chain was the problem and that I had just misstyped the password I thought I set. Annoying but I didn't worry too much initially. Everything worked even though every saved password I had for everything on Chrome & Firefox was wiped out by the keychain reset.
I rarely reboot and was extremely busy so I set it aside for a bit since everything worked. Then I needed to reboot for an update. I went strait into my account. That was disturbing as I have it set to make me log in. If I log out I can fail at the password to log back in then it logs me back in with a failed password. I never get the option to reset the password from the log in prompt. If I boot into Command-R it logs me in. No log in screen. I cannot get to the recovery partition. Without the password I cannot install High Sierra from the Mac store. The log in screen won't let me reset the password either.
I don't have a time machine backup. Turned it off as it was wearing out the HD and not really helping me any. Too few options as to how and when to make backups. In particular the inability to add only changed files or rotate out backups so I didn't fill up my external drive. I just do manual backups and all user files are backed up.
In /library/Application Support/ I found a suspicious dir called T Under T was /RootTools with roottools.conf as the only file. The contents of the file is node_id= long number & node_id2= another long number. It's hex but doesn't look like an IP addy. Too short.
So my question is how do I reinstall the OS and wipe out any suspicious apps? The only suggestions I can find in a Google search have failed. Would any Apple staff be interested in forensics on the machine? I am comfortable with the command line, have a strong Linux/Unix background. In fact I'm typing this from a Linux machine right now.
Mac mini, Mac OS X (10.6.8)