Leopard install problems / hacked Mac ??

[Zincfinga]

Hi there,
I need help, please. I have a Powerbook G4. I think I got a trojan while running Tiger before the last Apple security update (Sep. 10, 2009?). Revealing hidden files with MainMenu showed a hidden mirror mount of my HDD on my 'network' (I think I have this again). Since then, I have tried to reinstall Leopard 5 or 6 times from a retail copy. Guys at the 'Genius' Bar tell me I'm just paranoid, but I think something is up.

After booting from Leopard DVD and secure erasing then formating my HDD with a single volume, running 'diskutil info' from console lists 6 mounted disks. Disk0 = my HDD, disk1 = DVD, disk2-disk5 are 'file system = UFS' (nothing is attached to comp other than power cord). Also, the volume I create is missing ~1 GB of space 'not avail' and has 3 files and 3 folders (this may all be normal, IDK, just trying to give as much detail as possible).

So...after installing Leopard (before attaching anything to the Mac or connecting to the internet), I notice many strange 'Date Created' and 'Date Modified' dates (some from 1976..see screenshots, taken immediately after install), root certificates with 'not trusted' warnings in Keychain, and lots of 'alias' and other files that seem not to belong.

When I do connect to the internet, Safari wants my 'login password', and 'Stealth Mode' firewall reveals an instant flood of UDP connection attempts (I also 'hard reset' my Airport Express and updated it).

I don't know what's going on, but it sure doesn't seem right. Please have a look and give me any thought or help!


Thanks,
Jake

[MisterMe]

Why do you insist that the guys at the Genius bar are pulling your leg. My guess that the problem with your dates is that you modified files before you properly set the clock--if you ever properly set the clock.

The bottomline is that the only thing that is up is your own paranoia.

[Zincfinga]

did you see disk2 in the diskutil log? That's normal?? I have a 80GB HDD. Why is it showing a 148GB drive??

[Zincfinga]

also, I took the screenshots BEFORE opening ANY files, and the last step of the setup after installation was setting the date.

Other things that are happening now:

System preferences are being changed despite being locked.
the group 'administrators' keeps appearing in 'allow access for' in 'remote apple events' under 'sharing'

'DL important updates' under 'Software Update' gets checked despite me un-checking then locking preferences.

BTW, I don't think they're pulling my leg. I think they assume I'm just being paranoid, and they didn't even look at the logs. Did you??

[DeltaMac]

Some of what you see may be caused by your dead backup battery, which would dump your time & date (reverts to 1976 on your model) until you set the time and date yourself, or the network connection finalizes so the time & date can update via the network.
The only strangeness that I see anywhere in your 'logs' is the disk2. That's apparently a 160GB drive image, created on a sparse bundle disk. That would either be used by FileVault, or might be your Time Machine backup.
That would likely stay in place, because the backup that you restored from would keep record of the volumes used for your time machine backup. Does that help you at all?

[DeltaMac]

What do you find out when you check some of the problem areas that YOU see, on another Mac? You will likely find that those are perfectly ordinary, and (even with questions) are no cause for any special attention.
I think you will also find that most folks here will not provide support for paranoia, and may even offer encouragement that your computer is likely normal, even though I am not so sure about me...

[Zincfinga]

Thanks for your replys, DeltaMac,

Of course I expect most ppl to think I'm some paranoid fool. I ran Tiger on this machine for 4 years with no firewall and never had a problem or suspected one. I am not a paranoid person and am very familiar with the GUI side of Mac OS X. I know something is up, but I don't know enough about it to say what exactly is going on. I don't have any 'backup' image and have never turned Time Machine on, but I did use File Vault. Your explanation of the dates would make since if they were either the 'default date' or the current one, but there are many dates, esp. from 2007.

So...I installed Onyx and revealed hidden files. Please look at the attached image and tell me if it looks normal. (see the two 'drives' called 'dev'...when I click on the bottom one the name changes into 'etc' (showing 2 'etc').....if I click the bottom of those two, it changes to 'home' (showing 2 'home'), and so on...

Also, my home folder is now an 'alias'.

Thanks for your time,
Jake

[Zincfinga]

If I click 'users' in the left column, the one in the right becomes highlighted and I see the users to the right of that column...my whole drive seems mirrored. Normal??