Can't clean install

[mazzy]

I posted earlier because I thought I had a virus, but no one else seems to think so. However, everything has gone to hell, and I still can't resolve my problems. I've tried several times, unsuccessfully, to do a clean install. I've zero'd the disk, but still have some unremovable files. No software that I download and install works like it's supposed to. Cache cleaners don't remove cache, etc. Some programs won't even mount, giving various reasons, from codec errors to "device not configured" errors. Terminal doesn't work right either. Using Peek-a-Boo (to view which processes are running), it shows the command for Terminal is /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal -psn_0_6029313

and it uses these processes--

/Users/roxy
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Library/CoreServices/CharacterSets/CFUnicodeData-L.mapping
/System/Library/CoreServices/CharacterSets/CFCharacterSetBitmaps.bitmap
/System/Library/CoreServices/CharacterSets/CFUniCharPropertyDatabase.data
/Library/Caches/com.apple.IntlDataCache.le.sbdl.501
/System/Library/Fonts/LucidaGrande.dfont
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc
/System/Library/Contextual Menu Items/AutomatorCMM.plugin/Contents/MacOS/AutomatorCMM
/System/Library/Contextual Menu Items/FolderActionsMenu.plugin/Contents/MacOS/FolderActionsMenu
/System/Library/Contextual Menu Items/SpotlightCM.plugin/Contents/MacOS/SpotlightCM
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
/Library/Caches/com.apple.LaunchServices-014501.csstore
/usr/share/icu/icudt32l.dat
/System/Library/Caches/com.apple.IntlDataCache.le.kbdx
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
/System/Library/Extensions/AppleHDA.kext/Contents/PlugIns/AppleHDAHALPlugIn.bundle/Contents/MacOS/AppleHDAHALPlugIn
/System/Library/Components/CoreAudio.component/Contents/MacOS/CoreAudio
/usr/lib/dyld
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreText.framework/Versions/A/CoreText
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/ATS
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
/usr/lib/libicucore.A.dylib
/usr/lib/libobjc.A.dylib
/usr/lib/libstdc++.6.0.4.dylib
/usr/lib/libgcc_s.1.dylib
/usr/lib/libauto.dylib
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/CarbonCore
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/OSServices.framework/Versions/A/OSServices
/System/Library/Frameworks/Security.framework/Versions/A/Security
/System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
/System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/AE.framework/Versions/A/AE
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ColorSync.framework/Versions/A/ColorSync
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/QD.framework/Versions/A/QD
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/HIServices
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/LaunchServices
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/ImageIO
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libJP2.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ImageIO.framework/Versions/A/Resources/libTIFF.dylib
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/DesktopServicesPriv
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/SecurityHI.framework/Versions/A/SecurityHI
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/OpenScripting.framework/Versions/A/OpenScripting
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
/System/Library/Frameworks/CoreData.framework/Versions/A/CoreData
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCGATS.A.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libCSync.A.dylib
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/libRIP.A.dylib
/usr/lib/libncurses.5.4.dylib
/dev/null
/dev/console
/dev/console
apple.shm.notification_center
/tmp/com.apple.csseed.64
apple.shm.notification_center
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/Extras2.rsrc
/dev/urandom


/Applications/Utilities/Terminal.app/Contents/Resources/Terminal.rsrc
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
/dev/ptyp1
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc


So........... is this normal?

Sorry to be such a pain!

 

[Giaguara]

Partition the hard drive when booted from install disc (insert it, restart, hold down C to boot from it, then Utilities > Disk Utility when booted to install disc). After partitioning erase and install should be possible to select.

 

[mazzy]

I've done that over and over.

 

[Giaguara]

So you have partitioned the disc, and after that still the installation fails?

Are you using the install disc that came wiht your Mac or a separately purchased one? 10.4 or 10.5 disc? Are there any scratches on that disc? If it's 10.5, can you install the OS the Mac came with?

At what exact point does the installation fail? Do you get a specific error message (also from installation console view there should be an error description available)

If you try with the installation disc checkup (without skipping in beginning of installation), does that fail too?

Are you running that Mac with the RAM it came with or have you added any extra? (maybe try without extra RAM or run RAM tests in AHT)

 

[mazzy]

I've partitioned the disk, and zero's the disk, but I can still see my files still there, so it's only faking that it's partitioning and zeroing. This is why I think I have a virus, because it's not going away, and pretending to overwrite files, but not really overwriting them.

I have 2 automounts that won't unmount.
Peek-a-Boo show the full commands as
/usr/sbin/automount -f -m /Network -nsl -mnt /private/var/automount
and
/usr/sbin/automount -f -m /automount/Servers -fstab -mnt /private/Network/Servers -m /automount/static -static -mnt /private/var/automount

Thanks for your help!

 

[Giaguara]

Hm.
In the options for formatting the hard drive, select the 35-times write on the disk. That will take some time, but will write everywhere on the disk for 35 times, making seeing any applications rather impossible.

Or log in single user mode, and

rm -rf *

 

[mazzy]

Thanks......I'll give that a try and let you know the results.

 

[mazzy]

Well, after overwriting 35 times, those files immediately reappeared, leaving me again suspicious that I have a virus that is not allowing the disk to be overwritten, only re-installing itself. I'm not extremely knowledgable, so correct me if I'm wrong, but can't OS X be saved on a partition and installed from within, and not from the cd/dvd? Is it possible that this is happening on my machine? What is an infinite loop, and could I have it going on here? What is Zbootermnt? After my 35 writes, I still had /var/tmp showing 50 mounts and 1 Zbootermnt. Right now, in /private/tmp/ I have 140 files named WebKitPluginStreamxxxxxx. I still have the 2 automounts. They are servers, which points to localhost, which points to my entire drive, and static, which does the same. Most of my files are owned by system - wheel.

I'm really desperate, and greatly appreciate the help.

 

[Giaguara]

/var/tmp are the files the OS is mounting as temporary files while it is preparing anything to be installed. Zbootermnt is nothing more to worry about than finding .make or .install - it is supposed to be somewhere where you mount the filesystem. You erased the disk 35 times, so the files you had on the hard drive are gone. Mount this hard drive in target disk mode and view from any other Mac and you see it's in virgin state, nothing in it (unless you have some tool like Drivesavers use for hardcore data recovery). At this point, even if you would put a vanilla hard drive, straight from a packet, direct from a factory, and would start installing OS there, Mac OS X would still mount /private, /var, /etc and a few /. directories there.

 

[mazzy]

Ok, I'm sure I'm suspicious of the wrong files........I'm suspicious of everything right now. I just did the update which takes forever and after reboot I get so many error messages that I have to put in my install CD to reinstall, or archive and install. Of course the errors that I see aren't logged, so I can't show you my log. I can only try to jot some of them down.

Some of the errors are --
kextd_watch_volumes: couldn't setup diskarb session
CNETInfoPlugin::Initialize - notify get state failed
mcxd - DSGet special node name
mcxd -unable to register Server
mcxd - run loop could not be started
mcxd - unable to open local node
mcxd - DSGet special node name

So what is mcxd? I asked before and was told it was normal. But it seems to have a lot to do with my setup, and I'm not running a server, and I don't belong to a network

Thanks again.

 

[mazzy]

Also, is there somewhere that I can download the Safari update? I've tried to download it, but I can't find it apart from the Tiger 10.4.11 update, which I haven't had any luck installing.

Again, thanks for all of your help. Merry Christmas to all! And Happy Holidays to those of you who may not celebrate Christmas!

 

[mazzy]

Sorry to be a pest, but I'm still having problems. I'm still unable to update Safari. And why is safari-gatekeeper.plist in /system/library/privateframeworks/diskimages.framework/versions/a/resources/agent.defaults? Can someone please explain what it means?

Hopefully there aren't any typo's below. Copy and paste doesn't work anymore

<!--
Safari will run DIHLDiskimageAttach with agent=gatekeeper first which causes SLA's to be suppressed, checksum verification will forced ON, IDME-post-processing will be suppressed, and auto-open of the mount points will be suppressed. The image will not be browsable, DiskArbitration notifications will be suppressed, and Disk Utility will not display the image.

agent=safari will be modified to allow SLA's to be presented,
checksum verification will be suppressed, IDME-post-processing will be allowed, and reveal of the IDME contents or mount points for non IDME images will be enabled
-->

<key>mount-private</key> <!-- don't issue DiskArb notifications -->
<true/>
<key>mount-nobrowse</key> <!-- Carbon won't see us if user traverses mount point -->
<true/>
<key>mount-point</key>
<string>/tmp/</string>
<key>system-image</key> <!--DiskUtility will ignore this image -->
<key>mount-type</key>
<string>randomized</string> <!-- generate random mount point name -->


<!-- for all disk images -->
<key>skip-sla</key>
<true/>
<key>skip-verify</key>
<false/>
<key>skip-verify-remote</key>
<false/>
<key>skip-verify-locked</key>
<false/>

<!-- for IDME images -->
<key>skip-idme</key>
<true/>
<key>skip-idme-reveal</key>
<true/>

<!-- for normal disk images -->
<key>auto-open-ro-root</key>
<false/>
<key>auto-open-rw-root</key>
<false/>

<!-- Safari handles UI -->
<key>suppress-uiagent</key>


And again, sorry for being a pest.

 

[Kees Buijs]

I've done that over and over.

First unpartition your drive (using disk utils from the installation cd) and power down completely. Than after a few minutes restart (ofcourse from the installation cd shipped with the computer) and check if the partition is gone.

If you use the cd's always, i can not be a virus unless the cd is infected and apple is not in the habit of distributing infected cd's.

If the partition is still there, something is wrong with the drive. Best is to take if to someone with LINUX or WINDOWS (oops) and have him/her remove the partition. After the partition is gone and stays fone, you can start with a clean install and no problems should occur.

It is possible to lock drives to prevent changing some partition information and this seems to be the case in your situation.


Good luck, Kees

 

[mazzy]

Thanks Kees. I'll give this a try. If the drive is locked, how would I unlock it?

 

[Soulwar]

Just a thought, but have you tried the Apple hardware test cd?

 

[mazzy]

No, I haven't tried that. Is it free? Sorry to sound so cheap, but I spent a fortune trying to repair the damage a hacker and a rootkit caused on Windows, then finally gave up and bought a Mac.

But I have used Drive Genius. I can't really access my drive with it, but it does show 4 partitions.
1) (Unknown) Apple_Free : 3.00 KB
2) (disk0s1) EFI System Partition : 200.00 MB
3) (disk0s2) Apple_HFS : 74.21 GB
4) (Free Space) Apple_Free : 128.00 MB

Terminal confuses me, and I'm not really sure what it all means, but if I type 'mount' it shows-
/dev/disk0s2 on / (local, journaled)
devfs on /dev (local)
fdesc on /dev (union)
<volfs> on /.vol
/dev/disk1s3 on /Volumes/Mac OS X Install Disc 1 (local, nodev, nosuid, read-only)
automount -nsl [170] on /Network (automounted)
automount -fstab [188] on /automount/Servers (automounted)
automount -static [188] on /automount/static (automounted)

and 'diskutil list' shows -
/dev/disk0
#: type name size identifier
0: GUID_partition_scheme *74.5 GB disk0
1: EFI 200.0 MB disk0s1
2: Apple_HFS mac 74.2 GB disk0s2
/dev/disk1
#: type name size identifier
0: Apple_partition_scheme *4.7 GB disk1
1: Apple_partition_map 31.5 KB disk1s1
2: Apple_Driver_ATAPI 4.0 KB disk1s2
3: Apple_HFS Mac OS X Install Disc 1 4.7 GB disk1s3

I wrote this down yesterday, but I can't remember which command I used to get this information--
I think it was using diskutil while trying to reinstall my system, after another supposed clean install. I used terminal during setup just to see which files were still on my system. All of them were still there except for the extra applications that I'd installed after my last setup! (Firefox, etc.)
Anyway it showed-
/dev/disk2 on Volumes (asynch, local, union)
/dev/disk3 on /private/var/tmp (asynch, local, union)
/dev/disk4 on /private/var/run (asynch, local, union)
/dev/disk0s2 on /Volumes/untitled (local, journalled)


and finally netstat shows-
tcp4 0 0 192.168.1.4.49596 broker.rr.com.http LAST_ACK
tcp4 0 0 localhost.netinfo-loca localhost.1015 ESTABLISHED
tcp4 0 0 localhost.1015 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1017 ESTABLISHED
tcp4 0 0 localhost.1017 localhost.netinfo-loca ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1021 ESTABLISHED
tcp4 0 0 localhost.1021 localhost.netinfo-loca ESTABLISHED
udp4 0 0 *.mdns *.*
udp6 0 0 *.5353 *.*
udp4 0 0 localhost.49170 localhost.1022
udp4 0 0 localhost.49169 localhost.1022
udp4 0 0 localhost.1022 *.*
udp4 0 0 localhost.49165 localhost.1023
udp4 0 0 localhost.1023 *.*
udp4 0 0 *.ipp *.*
udp4 0 0 192.168.1.4.ntp *.*
udp6 0 0 fe80:1::1.123 *.*
udp6 0 0 localhost.123 *.*
udp4 0 0 localhost.ntp *.*
udp6 0 0 *.123 *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.5353 *.*
udp4 0 0 *.mdns *.*
udp4 0 0 localhost.netinfo-loca *.*
udp4 0 0 *.* *.*
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
263f770 stream 0 0 0 263f7f8 0 0 /var/run/mDNSResponder
263f7f8 stream 0 0 0 263f770 0 0
263f880 stream 0 0 0 263f908 0 0 /var/run/mDNSResponder
263f908 stream 0 0 0 263f880 0 0
263f990 stream 0 0 0 263fa18 0 0 /var/run/mDNSResponder
263fa18 stream 0 0 0 263f990 0 0
263faa0 stream 0 0 0 263fb28 0 0 /var/run/mDNSResponder
263fb28 stream 0 0 0 263faa0 0 0
263fc38 stream 0 0 0 263fbb0 0 0 /var/run/mDNSResponder
263fbb0 stream 0 0 0 263fc38 0 0
263fcc0 stream 0 0 0 263fee0 0 0 /var/run/mDNSResponder
263fee0 stream 0 0 0 263fcc0 0 0
1f68088 stream 0 0 260d738 0 0 0 /private/var/run/cupsd
1f68990 stream 0 0 0 1f68aa0 0 0 /var/run/mDNSResponder
1f68aa0 stream 0 0 0 1f68990 0 0
1f68d48 stream 0 0 23f57bc 0 0 0 /var/run/pppconfd
1f68550 stream 0 0 0 1f68a18 0 0 /var/run/asl_input
1f68a18 stream 0 0 0 1f68550 0 0
1f68b28 stream 0 0 2347b58 0 0 0 /var/run/mDNSResponder
1f685d8 stream 0 0 2328b58 0 0 0 /var/run/asl_input
1f68e58 stream 0 0 23148c4 0 0 0 /var/run/usbmuxd
1f68ee0 stream 0 0 2314948 0 0 0 /var/run/portmap.socket
1f68f68 stream 0 0 1f5c294 0 0 0 /var/launchd/0/sock
1f68000 dgram 0 0 0 263fdd0 263fdd0 0
263fdd0 dgram 0 0 0 1f68000 1f68000 0
263fe58 dgram 0 0 0 1f68330 1f68330 0
1f68330 dgram 0 0 0 263fe58 263fe58 0
263fd48 dgram 0 0 0 1f68908 0 263ff68
263ff68 dgram 0 0 0 1f68908 0 1f68110
1f68110 dgram 0 0 0 1f68908 0 1f68198
1f68198 dgram 0 0 0 1f68908 0 1f68220
1f68220 dgram 0 0 0 1f68908 0 1f682a8
1f682a8 dgram 0 0 0 1f68908 0 1f683b8
1f683b8 dgram 0 0 0 1f68908 0 1f68660
1f68660 dgram 0 0 0 1f68908 0 1f68440
1f68770 dgram 0 0 0 1f68880 1f68880 0
1f68880 dgram 0 0 0 1f68770 1f68770 0
1f68bb0 dgram 0 0 0 1f68cc0 1f68cc0 0
1f68cc0 dgram 0 0 0 1f68bb0 1f68bb0 0
1f68440 dgram 0 0 0 1f68908 0 1f687f8
1f687f8 dgram 0 0 0 1f68908 0 1f684c8
1f684c8 dgram 0 0 0 1f68908 0 1f686e8
1f68dd0 dgram 0 0 0 1f68c38 1f68c38 0
1f68c38 dgram 0 0 0 1f68dd0 1f68dd0 0
1f686e8 dgram 0 0 0 1f68908 0 0
1f68908 dgram 0 0 23289cc 0 263fd48 0 /var/run/syslog


Thanks for your help!!

 

[Soulwar]

The Apple hardware test cd should have came with your Mac.
By the way, which Mac are you using, and what OS?
It sounds more like a hardware problem then software...

 

[Giaguara]

Apple Hardware Test is on the Install disc 1 that came with your computer. For an Intel based Mac, hold down the letter D at startup.

 

[mazzy]

I have an intel mac mini 10.4.5. I'll do the hardware test and let you know the results.

Thanks!

 

[mazzy]

My hardware test results showed everything was normal, so that's good news. I still think I have some kind of malware. After a supposed clean install, I have folders and files that I don't think come with OS X.
/usr/bin 122.4 MB
/usr/lib 72.3 MB
/usr/libexec 32 MB
/usr/sbin 67 MB
/usr/share 203.4 MB
/usr/standalone 468 KB

I understand Darwin kernel, but I don't understand Root: xnu....
Darwin Kernel version 8.11.1
Root: xnu -792.23.20 ~1/Release I386

Again, thanks!