Leopard install problems / hacked Mac ??

Z

Zincfinga

Registered
Hi there,
I need help, please. I have a Powerbook G4. I think I got a trojan while running Tiger before the last Apple security update (Sep. 10, 2009?). Revealing hidden files with MainMenu showed a hidden mirror mount of my HDD on my 'network' (I think I have this again). Since then, I have tried to reinstall Leopard 5 or 6 times from a retail copy. Guys at the 'Genius' Bar tell me I'm just paranoid, but I think something is up.

After booting from Leopard DVD and secure erasing then formating my HDD with a single volume, running 'diskutil info' from console lists 6 mounted disks. Disk0 = my HDD, disk1 = DVD, disk2-disk5 are 'file system = UFS' (nothing is attached to comp other than power cord). Also, the volume I create is missing ~1 GB of space 'not avail' and has 3 files and 3 folders (this may all be normal, IDK, just trying to give as much detail as possible).

So...after installing Leopard (before attaching anything to the Mac or connecting to the internet), I notice many strange 'Date Created' and 'Date Modified' dates (some from 1976..see screenshots, taken immediately after install), root certificates with 'not trusted' warnings in Keychain, and lots of 'alias' and other files that seem not to belong.

When I do connect to the internet, Safari wants my 'login password', and 'Stealth Mode' firewall reveals an instant flood of UDP connection attempts (I also 'hard reset' my Airport Express and updated it).

I don't know what's going on, but it sure doesn't seem right. Please have a look and give me any thought or help!


Thanks,
Jake
 

Attachments

Last edited:
Why do you insist that the guys at the Genius bar are pulling your leg. My guess that the problem with your dates is that you modified files before you properly set the clock--if you ever properly set the clock.

The bottomline is that the only thing that is up is your own paranoia.
 
also, I took the screenshots BEFORE opening ANY files, and the last step of the setup after installation was setting the date.

Other things that are happening now:

System preferences are being changed despite being locked.
the group 'administrators' keeps appearing in 'allow access for' in 'remote apple events' under 'sharing'

'DL important updates' under 'Software Update' gets checked despite me un-checking then locking preferences.

BTW, I don't think they're pulling my leg. I think they assume I'm just being paranoid, and they didn't even look at the logs. Did you??
 
Some of what you see may be caused by your dead backup battery, which would dump your time & date (reverts to 1976 on your model) until you set the time and date yourself, or the network connection finalizes so the time & date can update via the network.
The only strangeness that I see anywhere in your 'logs' is the disk2. That's apparently a 160GB drive image, created on a sparse bundle disk. That would either be used by FileVault, or might be your Time Machine backup.
That would likely stay in place, because the backup that you restored from would keep record of the volumes used for your time machine backup. Does that help you at all?
 
What do you find out when you check some of the problem areas that YOU see, on another Mac? You will likely find that those are perfectly ordinary, and (even with questions) are no cause for any special attention.
I think you will also find that most folks here will not provide support for paranoia, and may even offer encouragement that your computer is likely normal, even though I am not so sure about me... :D
 
Thanks for your replys, DeltaMac,

Of course I expect most ppl to think I'm some paranoid fool. I ran Tiger on this machine for 4 years with no firewall and never had a problem or suspected one. I am not a paranoid person and am very familiar with the GUI side of Mac OS X. I know something is up, but I don't know enough about it to say what exactly is going on. I don't have any 'backup' image and have never turned Time Machine on, but I did use File Vault. Your explanation of the dates would make since if they were either the 'default date' or the current one, but there are many dates, esp. from 2007.

So...I installed Onyx and revealed hidden files. Please look at the attached image and tell me if it looks normal. (see the two 'drives' called 'dev'...when I click on the bottom one the name changes into 'etc' (showing 2 'etc').....if I click the bottom of those two, it changes to 'home' (showing 2 'home'), and so on...

Also, my home folder is now an 'alias'.

Thanks for your time,
Jake
 

Attachments

  • Picture 72.png
    Picture 72.png
    102.9 KB · Views: 7
If I click 'users' in the left column, the one in the right becomes highlighted and I see the users to the right of that column...my whole drive seems mirrored. Normal??
 
Zincfinga said:
... I know something is up, but I don't know enough about it to say what exactly is going on. I don't have any 'backup' image and have never turned Time Machine on, but I did use File Vault. ...
Click to expand...
The more you write, the clearer it becomes that you have convinced yourself that you have a problem. Now you are looking for confirmation. My advice to you is to get a move on. The wild geese are ready to fly south for the Winter.
 
"Other than that, Mrs. Lincoln, how was the play?"

Is there something not actually working on the Mac? Aside from weird modification dates?

I am not getting what the problem is--and I am not seeing all of the "users" in the linked pickies--unless I am missing something?

--J.D.
 
When I do the same as you (displaying all hidden files, then look in the various directories), then yes, I can duplicate what you see. Not a problem, but you are just looking at your same hard drive directory through two different paths - there's really nothing else you can read into that, except that it can be confusing to the user, and that (the confusion) seems to be working in your case. You've not shown anything yet that can be interpreted as a problem.
Turn your hidden files back off, and go back to using your computer.
What else can we help you with?
 
Good point, Dr. X...I should have started with more of such info. So far, my 'kernel task'
and 'launch d' are using crazy amounts of CPU time (just checked with only Safari open, 2 windows...100% being used). Also just saw that 'Safari allow all incoming connections' has been added to my profile....considering my 'stealth mode' firewall usually show many, mostly UDP, connection attempts per minute, I should have more to report soon. I could say what happened before when it progressed, but that may come off as crazy and paranoid. Please let me know any screenshots that would be diagnostic of some kinda crazy prob like I speak of. I'm thankful I got a few open-minded thinkers 'on board' from the beginning....seems dogma trumps logic in a lot of Mac "fan boys"...this thing is a doozy (not that I'm sure that I still have it...these post are starting to make me think I've been premature with thinking it's still here)

Also, Gmail will never completely finish loading in Safari (https links in particular all seem really slow and problematic)

is it normal for a hidden 'Safari -V100' (or something like that) folder to appear on any drive you stick in a Mac?
 

Attachments

  • Picture 75.png
    Picture 75.png
    684.3 KB · Views: 5
  • Picture 74.png
    Picture 74.png
    439.7 KB · Views: 3
  • Picture 73.png
    Picture 73.png
    662.1 KB · Views: 3
Last edited:
The -V100 files are Spotlight index files.
These can be somewhat controlled by excluding the drives in the Spotlight Preferences, under "Privacy".

For the rest of your problems I can offer no suggestions, except maybe to renew the Aluminum foil in your hat. ;)
 
Thanks for the info. I think your right...they were Spotlight 'V-100' folders. So do you guys get multiple denied connection attempts per minute if you turn on 'stealth mode' firewall??

Previously, when I was running Tiger and got the trojan, these are a few of the things I found (and when I ordered my custom made lead hat ;)

I think I had this or something very similar: http://www.macshadows.com/kb/index.php?title=ARDAgent_exploit

http://rixstep.com/1/20080620,00.shtml
http://www.macosxhints.com/article.php?story=20080620052233168
 
You must log in or register to reply here.
Back
Top